Rule Title Rule Author Ruleset Name ID #Files #Undetected Files
Creation of an Executable by an Executable frack113 Sigma Integrated Rule Set (GitHub) b5386a23355681c43cfbd2f2ccfe4b16ed45324d0d7b5583487a9f302ee1e427 12217111 1509284
Failed Code Integrity Checks Thomas Patzke Sigma Integrated Rule Set (GitHub) 134564d292d785dff102940b8a1ee06dba2d462c5fb852124b3771a49d7885f1 8969619 3408280
Wow6432Node Windows NT CurrentVersion Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) Sigma Integrated Rule Set (GitHub) 3e5fe19fbbb767b861e93022c3f95d25e1618fc86be75b05326ee57b2f75633c 3734853 1402424
Python Initiated Connection frack113 Sigma Integrated Rule Set (GitHub) e4d5f1be0673fa786cc8379c15338af08cdd11eed433bead9e801d6204d42a2d 2695352 640754
Wow6432Node CurrentVersion Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) Sigma Integrated Rule Set (GitHub) 18842e32896dd83b8aca4d5e1ac78c1f66b1d252479c0023cdd02f108c42c8cd 2613099 28636
Process Creation Using Sysnative Folder Max Altgelt (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1dfbc92aba26dc597751f9cf42ff3eac446b827525d1a38ea6fb4141c9f9af01 2504135 930708
Use Remove-Item to Delete File frack113 Sigma Integrated Rule Set (GitHub) d9b2eb00753c3049fbb4ed4f7d88f29b65a0c50bec45ff4723b95bb637f8f83d 2482666 979155
CurrentVersion Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) Sigma Integrated Rule Set (GitHub) 8b5db9da5732dc549b0e8b56fe5933d7c95ed760f3ac20568ab95347ef8c5bcc 2243710 59871
User with Privileges Logon frack113 Sigma Integrated Rule Set (GitHub) 8919a871f4a52b7af785fab44b4665ab6a3637e6ebeeac0288df8a5012a48be2 1809546 771934
Process Start From Suspicious Folder frack113 Sigma Integrated Rule Set (GitHub) 539d657ea3dfb52773cd8616d93fd64ba9112091984d1c3eb044c6e5dadd2c5c 1351791 272439
Suspicious Outbound SMTP Connections frack113 Sigma Integrated Rule Set (GitHub) 3659f9925f327ac0ba2be9b3c8c7240f432c4b62f162b846c10410fff320b6f7 1174707 234
Suspicious New Instance Of An Office COM Object Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ffbbcedfb9a1fd41ebb288154c10cf5cf869eb25195708be30f8a9df74f411cc 907362 776163
Password Protected Compressed File Extraction Via 7Zip Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 22e867c244280c1d01bcddc8355c10d82b6c69577cd784cefbbe4eb5e7a82f65 877770 159064
System File Execution Location Anomaly Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 25fc56c1bee673d7ff3edcf371e4d2a36c0af83222da348961b87735c8efa61f 869678 7494
Powershell Create Scheduled Task frack113 Sigma Integrated Rule Set (GitHub) 60d527fe5a592cbe8e98428d1412743b909d5625ec8bc91d20e8b6ee8b36db20 825583 282481
Suspicious Screensaver Binary File Creation frack113 Sigma Integrated Rule Set (GitHub) ad081ff821748a3cd86b5954ef5c3d7d2a6602fe0b6e50ed47938b98bc184122 763400 3350
Disable Microsoft Defender Firewall via Registry frack113 Sigma Integrated Rule Set (GitHub) 4d91cff1255532aacd25d7b82261d545afc7d30837d1643a0dd2c4617aec5865 745600 298954
SCR File Write Event Christopher Peacock @securepeacock, SCYTHE @scythe_io Sigma Integrated Rule Set (GitHub) 7a463b569de43655b8e8cf5b970001d720c38abf81bce54ba71ad19765b096e7 724340 2698
Suspicious Double Extension Files Nasreddine Bencherchali (Nextron Systems), frack113 Sigma Integrated Rule Set (GitHub) c9e528bd3557dc88b06bd5d2dfbadd96e24026bd2d890a2604febd2829c3146b 680680 98
CurrentVersion NT Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) Sigma Integrated Rule Set (GitHub) d706314122bff93e0dbdf079f1d1904d2f00407f34a893487d70105b1dc5b9ed 624276 6659
Change PowerShell Policies to an Insecure Level frack113 Sigma Integrated Rule Set (GitHub) 06b48fa7870d38bdf92b4d4a9b9c4a4df779bd405fdc5ba0e70911df20027ce1 578658 287151
File deletion via CMD (via cmdline) Ariel Millahuel SOC Prime Threat Detection Marketplace f9333cf120369debd56e4e238fffa10bdb2a1497c11e08a082befd02f9f3bdf2 574889 195331
Execution of Suspicious File Type Extension Max Altgelt (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2104d1ee1ce64e7aa3dbd368652a54ce160e6a5751019af14601fc8fd1df8086 506960 12344
Suspicious Get-WmiObject frack113 Sigma Integrated Rule Set (GitHub) 1f7f8b1e9005dd4d64cb9d30ed53ee94f68fb96262fbd72f7a0266881149c79f 487743 199084
Suspicious Call by Ordinal Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b7eb83db20f6f8b5f580e107c2b6816110a31869a94de5e2797d917335d9fbc0 451718 343070
CMD Shell Output Redirect frack113 Sigma Integrated Rule Set (GitHub) e77646c39db7fa011a5223aeb73c738046787fc7f62a99394e883d76a54341f7 408792 101492
Change PowerShell Policies to an Insecure Level - PowerShell frack113 Sigma Integrated Rule Set (GitHub) 5572c8188426269a10ccb41fc8e9c8445391ac38a0917621b0a1ee05ec99aac9 405563 157377
Potential Persistence Via COM Search Order Hijacking Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien Sigma Integrated Rule Set (GitHub) 7f5d257abc981b5eddb52d4a9a02fb66201226935cf3d39177c8a81c3a3e8dd4 280985 138941
Stop Windows Service Jakob Weinzettl, oscd.community, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 9afc79c8a56e6e5c4cbd55d203a7dce8efc4ed28aa315b736c842a88b1d3dd0e 272627 97147
Potential Persistence Via COM Hijacking From Suspicious Locations Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) c64a541b46d176ef960f347f5e86ee15927eb668f86a5f9f6260bbc94b1d2f3a 271867 132660
Net.exe Execution Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) Sigma Integrated Rule Set (GitHub) f1048c602439313e72f67c634350106ba7b709512529457a6f0a5eca6835bc89 271667 100395
Suspicious Svchost Process Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) a0daa529834b3c5230b4524da005a6b6503e7cb061e298a8f74e0dc1fee0a008 267698 792
Windows Processes Suspicious Parent Directory vburov Sigma Integrated Rule Set (GitHub) afd546ea5eff265c454f77f6e7641ade6e5a791d79de155fa27d377be1581535 264410 856
Service StartupType Change Via Sc.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b55af83c751d2c7bca8dbba245a97017e34109bff34fd50b02f60a91111ea703 242097 93933
Suspicious Tasklist Discovery Command frack113 Sigma Integrated Rule Set (GitHub) 54b43d3a279bdcbcca22abf416f8b57c691f2c84a9363507162ca472e30ab902 239937 97305
Suspicious Network Command frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' Sigma Integrated Rule Set (GitHub) 76a1e5bc5c7d4b95d8c382b4ecefb6a628ea4fba6cbf029fbb3cc32d36dcce57 238877 93504
Execution from Suspicious Folder Florian Roth (Nextron Systems), Tim Shelton Sigma Integrated Rule Set (GitHub) f8d48ec1128b00975e61e06393f6bb04a1d033a94c556d213b3bcb78a80589d8 235347 9561
Cscript Visual Basic Script Execution frack113 Sigma Integrated Rule Set (GitHub) 140aa55cb94f2ee1de560a395631283b557b8f771117a7991289298e2c6e7f6e 234969 93848
Suspicious Eventlog Clear or Configuration Change Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105 Sigma Integrated Rule Set (GitHub) b8f19be4c7bf862dce0d4d1f7885f2207ddf93b3a33d8a6e16f3968c4fbb6491 232598 94048
Non Interactive PowerShell Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) Sigma Integrated Rule Set (GitHub) 1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f 232397 93321
Powershell Detect Virtualization Environment frack113, Duc.Le-GTSC Sigma Integrated Rule Set (GitHub) 6e1823de286f8bef414c648f5738bec3bd40700cba3765da26e6500bc2d8e387 230007 93135
Root Certificate Installed oscd.community, @redcanary, Zach Stanford @svch0st Sigma Integrated Rule Set (GitHub) aaa442da8065368308d21225f195c966f7aacd66f4a7703b37f095739a0752d4 229891 93109
Powershell Suspicious Win32_PnPEntity frack113 Sigma Integrated Rule Set (GitHub) 7cf1e08df2c1e71b9ecbab0ba652d8d7adc890f53db8c630b859d32064f3eb3a 229759 93073
Disable UAC Using Registry frack113 Sigma Integrated Rule Set (GitHub) 80708cad12d59acde6c91bdfbb0ed867ffd0538e97f962f2ffd72040a66ecb6b 203213 324
New RUN Key Pointing to Suspicious Folder Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing Sigma Integrated Rule Set (GitHub) 27b72c2678411f21ba21bd10b44b7e9c45594d5a5f61f14223b81a8906675039 189117 7273
Registry Modification to Hidden File Extension frack113 Sigma Integrated Rule Set (GitHub) e6d175111f1e8dfecb77e2bbe404bdaad31873a97477136b427187abb5d09a89 188150 111
Suspect Svchost Activity David Burkett, @signalblur Sigma Integrated Rule Set (GitHub) dc04e64e69f5446c2a31920ee22415626307d5f3d0fb73ad81b9d3301a41000a 145036 56
Scheduled Task Creation Florian Roth Sigma Integrated Rule Set (GitHub) 3bc9d14114a6b67367a24df21134d0564d6f08a0ad903d68f9b25e9d8b7f0790 135653 2061
Suspicious Schtasks From Env Var Folder Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0533322c5c44794b71e761cd351a2459aad6e21ae95c9543d4c9fdb3c8fde6c4 134995 2677
Suspicious Process Creation Florian Roth SOC Prime Threat Detection Marketplace f09d5248ed8fc1a93251158bfda71f8144ccaf37fa922416ccd897498bff7c55 130111 3135
Suspicious Double Extension File Execution Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5ead81ee12f2097316af35270a1ac0f8623db054349c52ef366fc42a4b7d2de2 125487 71
Sysmon Configuration Change frack113 Sigma Integrated Rule Set (GitHub) 953121a751fbc01b581e57dfbcfb08d3f714fa9df54e4180dfb7564c3b2e3153 120794 41788
Windows Binaries Write Suspicious Extensions Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6676ee2bf136155325337ad27ca431e57ff815b4fbddfaf94908c8ae566aa5b6 114010 8010
PowerShell Network Connections Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b5e9f310ab6a8611ea1b7b788e712f0f6bf452c3092675694cf6256931874071 104417 18942
Remote Thread Creation In Uncommon Target Image Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) ea7ec9e92c165a4cef023fd658ef72279f03378ab53f4481eb973ecb2171b193 99745 2194
Suspicious Execution of Taskkill frack113 Sigma Integrated Rule Set (GitHub) cd06da2f3978bdb24b3f3c8f83c7df917a910c6b29921d0e375e418f340d8f3d 99262 15837
Floxif Trojan Ariel Millahuel SOC Prime Threat Detection Marketplace 98d1e74d54870538bf25e55522e0e31814ceaa32679120ff66addce78f4c461d 92092 1530
File Deletion Via Del frack113 Sigma Integrated Rule Set (GitHub) 77ed185ff979a8d9206b5eed07bf6d5823529f713ed0ea19f2ef7a4a355568bc 80748 4381
Suspicious Schtasks Schedule Type With High Privileges Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) e36b579d4bc4ef49ede1d82dd08ec1cba660d105c6f037d12ecf79b434617e88 79703 3654
Suspicious Add Scheduled Task Parent Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 66d80afb92c9db3881829096827fcacc7b8a697c3ceeb3318163ce83367f394b 77169 2295
Powershell Defender Exclusion Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7e416af5a1bb67fdbd2f30ae3f5da7f74583460b36546527c909c354fb5dcd00 76307 1700
Use NTFS Short Name in Command Line frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) c0bf6ba71da9d0f13368b0f1281354c8f9b3d491845ea5902282fece277ec655 74866 6763
Suspicious Script Execution From Temp Folder Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton Sigma Integrated Rule Set (GitHub) 96d2c399118cab5d249093badf4a85f0ef1889872b0191bdf131bcabc0994681 70584 7285
Shade Ransomware (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace d8f0141497fc47a78fbf41591174881fdf0e85f2937b08befec5c6273f8867d2 68733 30
Schedule system process Joe Security Joe Security Rule Set (GitHub) 02b55b29ddf740930b68c311ca7cd59354f8c35ceda86d09a3fb06f08b760857 67985 146
WmiPrvSE Spawned A Process Roberto Rodriguez @Cyb3rWard0g Sigma Integrated Rule Set (GitHub) 1429a6819ff25aad68fb09601fb0b63c4be24919adfd25c4ad925ef8d47d8f22 61944 116
Suspicious DNS Query for IP Lookup Service APIs Brandon George (blog post), Thomas Patzke (rule) Sigma Integrated Rule Set (GitHub) 3a2766a08d32a855b604a786cddc0f76fee13e6ccd22e01d4878150f0ef1eebc 61340 542
Rundll32 Execution Without DLL File Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp) Sigma Integrated Rule Set (GitHub) e7856bac967038b016efab8e4f315a2f16ccd6ba62f20d73df0ad3826fe654a3 60690 5853
CurrentControlSet Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) Sigma Integrated Rule Set (GitHub) 5bddd3dd0944d27f3ff8b03e8a8a01f5a9d14540ea1779da5683fe601557a364 59162 1011
Powershell File and Directory Discovery frack113 Sigma Integrated Rule Set (GitHub) febfc891e8c04ffe16ce1a9eaf5731b0a321cf42be5c06aed06252ec31cdbb79 58217 20845
Rundll32 With Suspicious Parent Process CD_ROM_ Sigma Integrated Rule Set (GitHub) 63bcc6f98c4a5594772428a329b433392d70f18a841926328607f303f3d782a5 58019 1342
Swisyn Trojan (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 173f49a095aef2bc0480b5f8a8ae6c2d0e4125f9096d618a3865346b34d726fa 56601 80
LOLBAS rundll32 without expected arguments (via cmdline) SOC Prime Team SOC Prime Threat Detection Marketplace 2fd6d2b16365ba7157eee4934b406ac7d530b4ec62cc1b45c69ee4f07989f139 55619 5138
Msiexec Initiated Connection frack113 Sigma Integrated Rule Set (GitHub) 4a7e3b52f438365db6b61867f157e3bc434b40fb9916eba681bb857e7a1041ee 52135 36702
Service Binary in Uncommon Folder Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) a55e06a3fb02c5ab9e6338bc2b61d50ebaa7e4236c27862400b7633243f477be 49952 7920
Use Short Name Path in Command Line frack113, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 3c0434c2b9b483a1c7879404c2a80556dc54436bf222a970ca7131b1f30079f1 48996 23650
Set Files as System Files Using Attrib.EXE frack113 Sigma Integrated Rule Set (GitHub) 62ce96b648991749ff9b9ccc7dafa1d8da64d6490e9f469683f00fa248ef9336 48893 800
RDP Hijacking. Last logged-on user changed. Den Iuzvyk SOC Prime Threat Detection Marketplace 13ed88b8063438c80d6eb6c7e9aeda38d201453d83fa949f65867ced46825db3 48327 17481
Service Binary in Suspicious Folder Florian Roth (Nextron Systems), frack113 Sigma Integrated Rule Set (GitHub) 71686ca6fd31ecd29454e2d39e38be5c971f96ad539e461b7d1d79b85f90182a 44970 4260
LatentBot malware Ariel Millahuel SOC Prime Threat Detection Marketplace f5653d51811614b162ab7311b24033c85bf166bbc322d83f4f72d0b9a366a01f 42523 19712
Oilrig Ariel Millahuel SOC Prime Threat Detection Marketplace c01baa2540aeb8f23c067318100db0ab3618e37acf7e219372e750398969c606 39841 22115
Shell Open Registry Keys Manipulation Christian Burkard Sigma Integrated Rule Set (GitHub) cd6c2801be2f14154f9616435303948eacedd79025bd0646cb3c34bb536b7cab 37513 57
Suspicious Execution of Powershell with Base64 frack113 Sigma Integrated Rule Set (GitHub) eb75f9de2201bfad4ef177dca85b0b8fa8e5a86ba2357af5301f72acbc5eb144 37058 1089
Suspicious Add Scheduled Task From User AppData Temp frack113 Sigma Integrated Rule Set (GitHub) a219a0bf27f7f5f1acdc1fbdd83ff3d3f3711edd5b8111b967d8eb1575aa3b85 36801 1911
Bypass UAC Using DelegateExecute frack113 Sigma Integrated Rule Set (GitHub) da3ec62084336efcb20f4f4e3a94268ca6c1665699d00b48e490be7fc41d2287 35716 50
Tamper Windows Defender - ScriptBlockLogging frack113, elhoim, Tim Shelton (fps, alias support) Sigma Integrated Rule Set (GitHub) c14e1f7f13c2bd7f209d1a9b75c7c313606e7e245601bf31765f2770c858ce09 35484 584
Modification of IE Registry Settings frack113 Sigma Integrated Rule Set (GitHub) 7ca43f2acf2c039e776af286dca2b5216d23967e6e8fe43dd5a5cc95f86e52e5 35053 5528
Dot net compiler compiles file from suspicious location Joe Security Joe Security Rule Set (GitHub) 76e8bb8877ab40bd84b14fc93daffe9ff7ebe9440ce09916b5c63a302d62c918 34860 9497
Renamed Office Binary Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) bb031bd9cea5bfc07d877d0deeef37ed046229fe8cb82202aefe3220d14c8626 34700 1257
HanaLoader (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 38853c8efaf750ffd744961ebcbeb037146acaabb9ca85c445af59f87e98e44d 33772 14530
DropboxAES RAT (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 8c558244a29064b6842314ce986116d2007b1087f6f8bb45ae883911d0155549 33741 14539
Drops script at startup location Joe Security Joe Security Rule Set (GitHub) 196a9c9222e3b003ccb0caadc29931d851129ba863f99545299786a032864d12 33730 357
Reg Add RUN Key Florian Roth Sigma Integrated Rule Set (GitHub) aa87efb252a9cf7bb1fb0114336bd08c338bc9046dd498d187c209cd94ddbc6a 30479 366
CSRSS.exe spawned from unusual location (possible mimicking) (via cmdline) SOC Prime Team SOC Prime Threat Detection Marketplace c3e407003db6c8b95e5a7dcbea08bddf8b53b265400c2feb32abfa523336257c 29625 7
Suspicious CLR Logs Creation omkar72, oscd.community, Wojciech Lesicki Sigma Integrated Rule Set (GitHub) a0cf7d21374ebc3567492775f48033b67b0a81b95521f405e5be52f2950f9d18 29575 15453
PowerShell Web Download Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) dac677b84d14788387f1c92fd6733396974f070639fca6be1bbf50df44b426cf 28498 4071
vbc.exe execution. Den iuzvyk SOC Prime Threat Detection Marketplace 7f5e752d29abb27ef7222f5171fe6719092aa64cb1a11187e75e3efd277216b3 27432 132
Suspicious Process Parents Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 339db70fcafbc2231425e99a4637ca5513d5eadd2f7807a2ad8bc9123ec81129 27342 24
Process Reconnaissance Via Wmic.EXE frack113 Sigma Integrated Rule Set (GitHub) c64577166c54aa12e6fafe9322a15fd35e2e359c52a4b545c470853d848557ec 27140 1299
Suspicious Windows Service Tampering Nasreddine Bencherchali (Nextron Systems), frack113 Sigma Integrated Rule Set (GitHub) 941abf5111763a135c88b4f6437475eb4c99e8d4c3ebdb4b74e30321695b0fa7 26814 800
Use Short Name Path in Image frack113, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) a913250de417b0235e4fbff14e07a25585d216d2000ee8ef314227987aef7eb0 26640 10827
Remote Thread Creation By Uncommon Source Image Perez Diego (@darkquassar), oscd.community Sigma Integrated Rule Set (GitHub) 5242ae9a7c0bb9967f443e598ba4d27edfa69ca76b6fbb7ad0d569f7e9067668 26436 157
Potential Dridex Activity Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 11ef2fbb89770dbec860f554810a4e34a33e1326589f9eaf562412ceba567f00 26166 596
Potential Product Reconnaissance Via Wmic.EXE Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 04969458bf2b005665d6b29fa937ccdfac26516eac5746c80ed78581033094c3 25239 648
Milum malware detection (WildPressure APT) Ariel Millahuel SOC Prime Threat Detection Marketplace 30fcf3924a898a9d1747e89068ab2990c77ca3914a94aa78466d28a9d9da32bb 24149 114
CLOP Ransomware detection (Sysmon) Ariel Millahuel SOC Prime Threat Detection Marketplace 94b16fc40ce61b0527bd124b84d6a631649e579c2c571a3dc68d4f0f9ee4aa76 23309 5004
Suspicious New Service Creation Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2e9fe41f275cf8282c3e18ce1605f533249acb7b3762d23c128bd0febd22a085 23279 5873
Suspicious Executable File Creation frack113 Sigma Integrated Rule Set (GitHub) a3e8f1f39ee9f212f863aa80fb48e783e942fa1db242be073c5647888fd6b094 23120 1511
Scheduled temp file as task from temp location Joe Security Joe Security Rule Set (GitHub) 90af0ea1f6d871f169dfb41b18545bf456f980c5d75f60f1293c34f071f6a31c 22887 144
ServiceDll Hijack frack113 Sigma Integrated Rule Set (GitHub) fb1acd0dbf62447f03607a7716d5d6bd489403a486bd8807beba004bab482bdd 22693 486
Regasm/Regsvcs Suspicious Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 98a4dc6e84bd2b7671587aaaaa8a8ae8fdd2f8d8880705d12e11f767c77df7c4 22617 349
Dynamic C Sharp Compile Artefact frack113 Sigma Integrated Rule Set (GitHub) 764276dba9654bf07d000fa390ae98de360ac172927cf3ef64f2db6c5b9be3b2 22601 5017
Use of W32tm as Timer frack113 Sigma Integrated Rule Set (GitHub) c36744b5f28fd16a3d12551b5ab3040cda78b8771cefa8acaf2dbdd269e4af2b 22443 10453
Usage Of Web Request Commands And Cmdlets - ScriptBlock James Pemberton / @4A616D6573 Sigma Integrated Rule Set (GitHub) 6291f85314c7d9966be831c56d3cdfb30f42c84f599273e73dac5c95e1122abf 22361 3107
Oilrig Ariel Millahuel SOC Prime Threat Detection Marketplace 358d598d019422b994aa86b74a025eddf76f526b50d61f4163e79404bbe9ad0e 22283 10377
Suspicious DotNET CLR Usage Log Artifact frack113, omkar72, oscd.community, Wojciech Lesicki Sigma Integrated Rule Set (GitHub) d3c65dba4df23fb384d566a6730f08957cd6e906ab86db5a042c01a5c4258230 22240 12300
Too Long PowerShell Commandlines oscd.community, Natalia Shornikova Sigma Integrated Rule Set (GitHub) 4b2c1a09ad8532fd7bf380feea00e848eb5daf3d246d1f4dac0ef853f29bc01c 21926 1428
Sakula RAT Ariel Millahuel SOC Prime Threat Detection Marketplace 1c2774ed7c4cad91219d007aa7101b09d19b442613cd2e3fc453726a7abd1b1a 18438 9
Windows Defender Service Disabled Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 5800379600db7e280b56236f291d8f474f097bed4c21c02367049347a8febc40 18403 58
Bad Opsec Defaults Sacrificial Processes With Improper Arguments Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) Sigma Integrated Rule Set (GitHub) 53f67594c85a67cef198b525b556658fa4e46d1e49901472adbc8b7f0ba475a8 18360 28
Suspicious Startup Folder Persistence Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 3396956bf20db86e217299b41f051d8e3807a72f92450b595e46cc0a7e70800b 18313 305
FlowCloud RAT (TA410 Campaign) Ariel Millahuel SOC Prime Threat Detection Marketplace 159df9b8abe4902ba69f24455a788a64edcec473e20be350469118e1c586299d 18247 844
Registry Persitence via Service in Safe Mode frack113 Sigma Integrated Rule Set (GitHub) 876ae5900040fc2ad5fd69d8477e94869d5e147f2af5c4456d0b099844c20bb5 17983 4933
Hardware Model Reconnaissance Via Wmic.EXE Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) cfdf6fdaa1841541e46a9c7701402dd4782cd08947692cfdcf86532c87ea3dbc 17845 457
Compression Utility Passed Uncommon Directory (via cmdline) SOC Prime Team SOC Prime Threat Detection Marketplace f4fe24c510771cfebac8ea12b6e86858e92ee0807f17f8dd0e23e2dc5e1b8049 17664 380
Suspicious Execution From GUID Like Folder Names Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 08e7088e12bfe2fa4d351a66754c13a0aa7ea7b70fb40c21ce782ac7321e54e4 17627 11418
Stop Windows Service Via Sc.EXE Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) dd1cc05e1a1d9416b75088f7ba5586374900fc625479abf320585293e9e21639 17096 808
Created Files by Office Applications Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) Sigma Integrated Rule Set (GitHub) 5c100e376f43b26c0279b6ecab437d35499a64f73cd9c1b180f62e840eebd2a6 17050 46
Script Initiated Connection frack113 Sigma Integrated Rule Set (GitHub) d2ba63dcfd40541d69308865939969a6282a95c29b46e0eaeb0c39701b6aa2f7 16865 10016
Script Initiated Connection to Non-Local Network frack113, Florian Roth Sigma Integrated Rule Set (GitHub) 8d980d509aaf7ca8f2c6cd9dd23e8ea6eb18328ca64711cb6e059ecec024fe0a 16730 9994
Use NTFS Short Name in Image frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 53658db80063ea16a40c90c24fa4cdb4a146dec6685cf48c0167318df2cbe20f 16574 1943
Suspicious Hacktool Execution - Imphash Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) e5df091eea8e09dc9859059928ad9ae436f75c7bc67be324d1582e24fe627533 16093 10
Suspicious Mshta.EXE Execution Patterns Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 31e1f4457871d51593456a4331811513af82fe4e36d2b26a582dd6baa180a91d 16000 716
Suspicious PowerShell Invocations - Specific - ProcessCreation Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) dc48d8314d305b4c97b9f813958e20738bb989b83928e70ea811bb7c0bf7e197 15513 156
Suspicious Service Binary Directory Florian Roth Sigma Integrated Rule Set (GitHub) ecf07e5502e8c93b8a8359e6bde14af9098293d382223c0ecf59834a37cac953 15510 4
Potential Binary Or Script Dropper Via PowerShell frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) bda626dd3bfb65bcce23cf31a18f15b58628dc48b2bb5cd9fe5f9ea5f9a3cc8c 15128 525
Potential System Information Discovery Via Wmic.EXE TropChaud Sigma Integrated Rule Set (GitHub) 0546c2d1b6847c71b54cd4de2f5363edba0cdf02eb90da287ec9c110d3c4af30 15084 189
CoViper Malware Ariel Millahuel SOC Prime Threat Detection Marketplace 17affcf8751489416a8bdd1c7819271220bd9bdd11f595b644b2966c3e3b1b80 14959 1088
CoViper Malware Ariel Millahuel SOC Prime Threat Detection Marketplace 156996684d126da245b795581497a973d9061da14c527920068752bc9a466ecd 14828 452
Suspicious Rundll32 Without Any CommandLine Params Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 87574dead19ceb246e10ccb4cb4fd5009c71c46de0d77965d2170bfafc2c3b14 14791 47
Regsvr32 Network Activity Dmitriy Lifanov, oscd.community Sigma Integrated Rule Set (GitHub) dc313eb40a68f81f4e6cc8b4658215600b2bac992cb67ea873d40ba70e41b7b3 14510 59
HVNC Attack (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 0643197645f9051600e631515cbe8f526e02ae4556e6125c8f9bf640dcc17849 14480 99
rundll32 run dll from internet Joe Security Joe Security Rule Set (GitHub) 232de5bd44720ce2fb34b305f8385e685f63ee5e14d8845368072b2fa100a5f6 14401 10200
Group Modification Logging Alexandr Yampolskyi, SOC Prime Sigma Integrated Rule Set (GitHub) 48fbab3f0d31a3776ce8099e24b7c20af280fc9952c2d83fb8e54e4808a7d506 14315 1032
Legitimate Application Dropped Executable frack113, Florian Roth Sigma Integrated Rule Set (GitHub) a323ff5e5edb2d7bf37ac8071bd7e0943ac4d50e99adf03671a8b5bb0eac5cf0 14182 92
K8h3d campaign (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 2e5a93340aede0794b671d3b3d020fb719a3985e78a96970d36c5c326f2fef34 14047 321
Office Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) Sigma Integrated Rule Set (GitHub) 0533bf39f662d089d6f317f51a9329a2865ffc0d84552c58c39a8d35672474a4 14013 11082
PowerShell Download and Execution Cradles Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) e88280a32f81c8575c3cb9b02910d867498fbf28ca75ca922ad991faa3a68879 13519 292
Suspicious File Created In PerfLogs Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a689c467d9cf931ad8d7fcb39456815daf9e5fb748bad72f1269eb6a8d64c5a0 13443 0
Windows Suspicious Use Of Web Request in CommandLine James Pemberton / @4A616D6573 Sigma Integrated Rule Set (GitHub) f92451c8957e89bb4e61e68433faeb8d7c1461c3b90d06b3403c8f3d87c728b8 13279 1216
Potential WinAPI Calls Via PowerShell Scripts Nikita Nazarov, oscd.community, Tim Shelton Sigma Integrated Rule Set (GitHub) 6c44b18934e9ddd288d035d35a258c41fce2d5f5ebafc55ff866a95fb78db9c2 13138 1398
Suspicious Msiexec Execute Arbitrary DLL frack113 Sigma Integrated Rule Set (GitHub) 5802db25decfb533c2f29a2580aaef6b1d4833aade450592d1dc36e256141c3c 13099 8761
Suspicious PowerShell Child Processes Florian Roth (Nextron Systems), Tim Shelton Sigma Integrated Rule Set (GitHub) 2105a0eff0c693326dcb33bbdcfd768fd6c8825061ae9eb48d31703fabf241e5 12838 919
Renamed Rundll32.exe Execution Florian Roth Sigma Integrated Rule Set (GitHub) 9c82223957e793a96ef035ed0c34e45da5cda4718210320cc09615a65b0fb5d1 12506 33
Capture Wi-Fi password Joe Security Joe Security Rule Set (GitHub) 2e31c80fe0affb3753d7456883282043c5795a0abd5906589d7b67f0eb04076e 12438 227
Modify User Shell Folders Startup Value frack113 Sigma Integrated Rule Set (GitHub) 0799d32e125d6df849ced4dc75e232438c118a816477d3f80a390cbd8b4d07ef 12107 47
Msiexec Quiet Installation frack113 Sigma Integrated Rule Set (GitHub) 269369cff6a753f9bd7a50d72f15b83a86911e2d6d46e1a38561ac385481c372 12059 5476
Regsvr32 Anomaly Florian Roth (Nextron Systems), oscd.community, Tim Shelton Sigma Integrated Rule Set (GitHub) 455818bf9dc4423de74cdfa396a0735e0fd29acee7f47632575decb468b11cb5 11770 3205
Add file from suspicious location to autostart registry Joe Security Joe Security Rule Set (GitHub) ab2075510415e5fab5635dc30ecec20ea16d6bead9c4397297335c9520922561 11656 19
PoetRAT detection Ariel Millahuel SOC Prime Threat Detection Marketplace a9e98f5066d90fefc6c08a2a98baaaeecc9dcfccf65c96170128a898353b6d50 11509 16
System Network Connections Discovery Via Net.EXE frack113 Sigma Integrated Rule Set (GitHub) 90412c9cf799f0ce454d95cf6bdbef8b1264fbcde3cd6b065ae6aee265882a86 11105 1682
Suspicious CMD Shell Output Redirect Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 9312dc563b7e9a010a22b457fb7cd94e9c686b75dc20fcf8a10236dda0e5e2b4 10890 918
Schtasks Creation Or Modification With SYSTEM Privileges Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a9278f03bce6b217a82c054a78cc6ea5acfebb4b16cd25b7d6cd842bb1dcfd8f 10625 2074
Execute DLL with spoofed extension Joe Security Joe Security Rule Set (GitHub) 90c63349e180656f865f6206a06dbee57bd3226b32eb61fba3e6c7c4452d4e1d 10435 2828
Nymaim Trojan (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace a9d7fe3dd2aa50123d54b48a488447b37091616c00667ae7c459bf19dd1ad2e0 10422 14
DNS Query To Remote Access Software Domain frack113, Connor Martin Sigma Integrated Rule Set (GitHub) 210890087c5c0874ddc8155130ae1218d789f501e70a75ad47c71bbbc76004af 10115 3326
Use Icacls to Hide File to Everyone frack113 Sigma Integrated Rule Set (GitHub) 2b816898a4d295bb7523cf3cf83af84a641b8f2a145e2ca8b12cdf2ac8193a13 9981 40
Suspicious Csc.exe Source File Folder Florian Roth Sigma Integrated Rule Set (GitHub) b39586c79bf4d0d43c937efa6129ebb6f0b2cf03b7038a3a8234f84c147600f7 9868 1518
Suspicious Command Patterns In Scheduled Task Creation Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) c6cac3013982f7f078cbf7fdc49b83f80fe4377b7ba4434f2533c34c98a85608 9545 1518
Xmrig Joe Security Joe Security Rule Set (GitHub) c9f2b527fcecda6141fde1caee187052676355bc055141a8caa6c22482fca3ad 9510 5
Windows Credential Editor Florian Roth Sigma Integrated Rule Set (GitHub) 8c09b5d8aeac44d4ad6b76333ab77edf4453d9c7f7db00d879591acfc9f98479 9482 9
Greedy File Deletion Using Del frack113 Sigma Integrated Rule Set (GitHub) c1c4c35f46055951f3124f8f5791b474f919c9dee2a42d1e737590c5eb7169a4 9396 29
Suspicious Binary In User Directory Spawned From Office Application Jason Lynch Sigma Integrated Rule Set (GitHub) fb4acb832d8776634f7ad5e60b2ae16c329118186cc8dcf04d1ce959185c6264 9376 2
Internet Explorer Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) Sigma Integrated Rule Set (GitHub) 11ecb99add36c59a082a478e7c117545e6404a0b28c77c007c135739df91a489 9025 2837
Disable Windows Defender AV Security Monitoring ok @securonix invrep-de, oscd.community, frack113 Sigma Integrated Rule Set (GitHub) 78a8ebe85ceee09aa63f018db033f8616308e95816c4f7429ba0bafe2d0995b9 8909 67
Vulnerable WinRing0 Driver Load Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6e6298fff951b11ea6aa772fe7d022e50af3068aa7254be68850f49e45e0ed13 8819 123
Console CodePage Lookup Via CHCP _pete_0, TheDFIRReport Sigma Integrated Rule Set (GitHub) 3bda98164bb253cb435c3bc30ce36f9f570b187e1481bf7feb1e9468422fd79c 8618 2163
Use of GoToAssist Remote Access Software frack113 Sigma Integrated Rule Set (GitHub) df5ad6e42247717e66029569fa91f85ff8a54a54497ee42527054193ce21bc6b 8400 4711
Use of LogMeIn Remote Access Software frack113 Sigma Integrated Rule Set (GitHub) 2d50b92426dd9dacf9cb8f8155e01c1358138fea49e2459c140ebd54d3e45990 8400 4711
Obfuscated Command Line Using Special Unicode Characters frack113 Sigma Integrated Rule Set (GitHub) 1afbb49fc8fb15fab2d75349956e426d182cdd6d06760b6d83594535a112fb1f 8357 558
Firewall Rule Deleted Via Netsh.EXE frack113 Sigma Integrated Rule Set (GitHub) 052f94156672e1511386806889ab6346ea81a8f49f98a8610ce616ee7a9ae931 8032 2175
Suspicious Execution of Systeminfo frack113 Sigma Integrated Rule Set (GitHub) f2a81aa24c1d19a09711179a71cd58fe057ab277cbef8632cc6a9281d5cf87dd 7893 1145
Suspicious Curl.EXE Download Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) d86dfee683d0e96803dc8a153d15f7208afc774045e2d885ccaec10bdcef7831 7818 2201
Reg Add Suspicious Paths frack113, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 4ed42e9d011d5674f2f07c78f41b8a2bfd742ee689b7a57fce8316e002688075 7794 636
Stop Windows Service Via Net.EXE Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5b84c64b930b911c8206935d6c61b2a128347a34d495da3ea3523cdf5397c3ef 7725 1292
Tycoon Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace c2a677a155b0fd75d813c22a6dc0d1632310c42fafb3c2d5cb08090c75ce491e 7655 345
Conhost Parent Process Executions omkar72 Sigma Integrated Rule Set (GitHub) 7b87fbdccf3c12011b709aab8b9bd4642bd61dc9880e0e1ce9ebb9901e2a3497 7629 228
LOLBAS conhost.exe (via cmdline) SOC Prime Team SOC Prime Threat Detection Marketplace b29d2dfc7edb1018f0384c6a0606a6f59a25bb2e9e1ff8a0fa4bad79d7d4121e 7629 228
Disable Windows Defender Functionalities Via Registry Keys AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 387844917f76d926b5dde6a796bcdb423a54d6df4ab736e7752fb73dc931e400 7627 455
Vulnerable Driver Load Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) efe6f377eb5896688f0baa7d44db4fc8d0639fa43f0d3dbb262bde8a7eb7b453 7467 307
CARROTBAT Malware detection Ariel Millahuel SOC Prime Threat Detection Marketplace e5937a80eca18cdaa94adaf02b89a4af91bb9605d3236af13685c8b481d9b1b1 7128 35
Suspicious Remote Thread Target Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 35516fc873ed87d5b0b7a43b8533ffc2f5caa47a50e9166c663b25628f65fed4 7029 663
Potential Binary Impersonating Sysinternals Tools frack113 Sigma Integrated Rule Set (GitHub) 8652ffc2b3174864b7f93e2652bbeaa97cba1ce3a0949c10a85ea086c2478680 7028 398
BackSwap Trojan detection Ariel Millahuel SOC Prime Threat Detection Marketplace a5470af7af21c2bc99ebc438fe841b20ec62f530e6540dc01ce42deed3ffb1eb 7026 24
WScript or CScript Dropper - File Tim Shelton Sigma Integrated Rule Set (GitHub) 858185cf49c680890b5a26787055bc3518a78b5c5f6fc2df09e5516b191cef8c 6779 142
Potential Persistence Via Visual Studio Tools for Office Bhabesh Raj Sigma Integrated Rule Set (GitHub) c04f755b9283e9e31eead7707a061225ee4da75cf49c91823ff8aa1d7e026551 6590 5506
Sakula RAT Ariel Millahuel SOC Prime Threat Detection Marketplace 68a19d3c88378331526d97065cc73f033a6ff79b1ebd046f7d815d967bd2dd69 6530 0
Potential Execution of Sysinternals Tools Markus Neis Sigma Integrated Rule Set (GitHub) c718a898b26d6c8f64602f1b33c49df17864599a9ba4a879a1ac22848dbda174 6441 1713
Service Registry Key Deleted Via Reg.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 024bac7758bc9b41b74cd867afe686054dabf2eddd7128488f92797af3459361 6382 294
Unusual Parent Process For Cmd.EXE Tim Rauch Sigma Integrated Rule Set (GitHub) 16502dbca7468597f52d37ca5a5a0f5c904c43f0ca2b6726d890a67a63b68516 6256 15
SafeBoot Registry Key Deleted Via Reg.EXE Nasreddine Bencherchali (Nextron Systems), Tim Shelton Sigma Integrated Rule Set (GitHub) 4202d03bb66c7e22943582a6959ff86dea30b0493ca74ce160940b0daf7b2797 6159 48
Shadow Copies Deletion Using Operating Systems Utilities Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) Sigma Integrated Rule Set (GitHub) ad5e4d4b939797a70a9aa742d979a4742c2cfedddd663fb1a43b2795c1e6054b 6155 107
Potential WinAPI Calls Via CommandLine Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7d53de0fb9c4ee79b8ab06605cd3a8faaa400a586d577c9a7d692f059a3ac78c 6021 3504
Suspicious MsiExec Embedding Parent frack113 Sigma Integrated Rule Set (GitHub) f46fb5682ba3b26a58530a0f49196fd4253c14c4e64dd7069f21357e3d079509 5973 3114
Tycoon Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace 4a1bfdd64820625ce8a3a3a1703ba1575511aa7971c4320893b9fa4b51c65a4a 5928 243
Malicious payloads that are hidden in fake Windows error logs Ariel Millahuel SOC Prime Threat Detection Marketplace a0266c26a19ccfed14f484c3055ab6ca00bdb3123ee47a1a36410d63d33650ad 5711 1108
Droppers Exploiting CVE-2017-11882 Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) ea2bef709a3e478516f914938492950992d22f0077ede5a561e60f2c092f4dec 5553 3530
Suspicious Schtasks Schedule Types Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 83e48c48a7932749737a7bd38f5caa95e168e9a37a1d0730ffa0349f567f2895 5336 106
Windows Shell/Scripting Application File Write to Suspicious Folder Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 248820e948efae04f89b524348c8398f0b278befcaec4fafddf73e9c5dda0353 5266 238
Suspicious PowerShell Encoded Command Patterns Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 12273189dbbd1ed526c045fb9a7d5e45682ba4e0a13e2e94d65376962a0bfc2e 5190 304
Malicious payloads that are hidden in fake Windows error logs Ariel Millahuel SOC Prime Threat Detection Marketplace e55945cd70c0ffa247fd76996326089548147e223588b2b6aeef053c1c0ce613 5165 1420
Drops fake system file at system root drive Joe Security Joe Security Rule Set (GitHub) 4754f502f65f5684ed3a2e0c3b8615d89d16535a2ad1fe25ac93f82423267ae1 5028 4
PowerShell Module File Created By Non-PowerShell Process Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b8c95f5909e68be942c69ab250a3b47557e33b2d1d582cd72e665210efeadb8f 4968 5
Suspicious PowerShell Get Current User frack113 Sigma Integrated Rule Set (GitHub) c0ad3fd3010dc41b8f54cd4f911b4bf081d2d195b0e7548cdc60ebcee9250ad3 4845 2706
Computer System Reconnaissance Via Wmic.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) c8e910a6a612d2b2556bdcc91dfca15a43385b8571e490ed29c46ef1a3e5e144 4777 428
Regsvr32 Command Line Without DLL Florian Roth Sigma Integrated Rule Set (GitHub) c0cdd12b4805f2aebecbc0415332f2594acf1ae6d8d82da086eeac9a84bf0c37 4739 586
Suspicious PowerShell Download - Powershell Script Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 124bf07ac70743e91b5698e3731aae0330fc182aa58036390f2a0457a90b5341 4732 562
UNC2452 Process Creation Patterns Florian Roth Sigma Integrated Rule Set (GitHub) f282a8660328d20195770b77f51561e6885408fc2136a6916d0380839cf39301 4731 4
Files And Subdirectories Listing Using Dir frack113 Sigma Integrated Rule Set (GitHub) 7752bbd4e940ef58081260cfa45b4ac6b149e2cecb836d79f5e61bfbdc237105 4706 655
Stop multiple services Joe Security Joe Security Rule Set (GitHub) 2319d1843957b572c6e41e1d83656e12eac1e5e75f59ac1ccc309c2b00e9ef86 4631 28
LOLBAS rundll32 with unexpected forward slash paths (via cmdline) SOC Prime Team, @SBousseaden SOC Prime Threat Detection Marketplace 4df0b9d85eb21989ce009f134a8fae2edde67a305237b09a9daae0c40abae0ac 4613 1869
Creation of an WerFault.exe in Unusual Folder frack113 Sigma Integrated Rule Set (GitHub) 4469b0111d1f4747a00542caf4ceadd719bff3e7e6e21793e9446d294be895bb 4524 114
Suspicious LDAP Domain Access frack113 Sigma Integrated Rule Set (GitHub) 16b459cba08f0827ee9607be238b1582dfd3717c30b129b5f215736d5a3c3e1b 4314 1081
Powershell Defender Disable Scan Feature Florian Roth Sigma Integrated Rule Set (GitHub) 452d2469c7cd2c2065eaf39a671afb28d62803ea89003d82491c0e02559fcb9d 4289 379
Wscript Shell Run In CommandLine Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 83ab725e0e176c0c59e352231c53ea9aca280a122aaa1c79b3ac8cd955147dab 4285 71
DNS Query for Anonfiles.com Domain - Sysmon pH-T (Nextron Systems) Sigma Integrated Rule Set (GitHub) 21c4870bc492f9b979f795cb98b5fd283fad4043432a9c3cd239097f04e945ee 4140 67
PUA - WebBrowserPassView Execution frack113 Sigma Integrated Rule Set (GitHub) 33f5c9533af9250ea025177bce3fdac08e97300ebdcb88f194c75a49a985bcfb 4100 9
New Lolbin Process by Office Applications Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Michael Haag, Christopher Peacock @securepeacock (Update), SCYTHE @scythe_io (Update) Sigma Integrated Rule Set (GitHub) 8a45e61fc1757825afcd5eca531a7940c6b8fd8ed95faee7b3ea517339e0ee17 4009 218
CARROTBAT Malware detection Ariel Millahuel SOC Prime Threat Detection Marketplace 5244e0d5e7e39e2209c4a02fd25867f6008966d611f19da634de6505358c95a6 3882 11
BackSwap Trojan detection Ariel Millahuel SOC Prime Threat Detection Marketplace 6cf0858071345dfa209de5be9510786314771819c7ae412dbfe82b134cb3697c 3835 6
Suspicious aspnet_compiler.exe Execution frack113 Sigma Integrated Rule Set (GitHub) c72e2995683af253e803fa2fe4fb02eab21f864cf7e63657b4c1f5a21e5cd421 3806 9
Remote Access Tool - Anydesk Execution From Suspicious Folder Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) e8f71f8fe8e705cebda4bbb0636db89fdd3c7b9c2faebe19bac1e6d0d6db37c5 3786 1424
Use of ScreenConnect Remote Access Software frack113 Sigma Integrated Rule Set (GitHub) 4e5183fbf4eb55f1facacd3e44e6d35245f2dea793693a25f292b52509cbdb72 3775 290
Pyvil RAT Ariel Millahuel SOC Prime Threat Detection Marketplace 1b78637b79c8dffe83e4631ca8812c2cab4799547d30fb65df21e42f1894053f 3726 1846
Installation of TeamViewer Desktop frack113 Sigma Integrated Rule Set (GitHub) 2495a5176f32a1fe533956bb584ac28d8b3080d4d27a4a91f60fcf3c24bbfabe 3674 2087
Service Binary in Temp Folder frack113 Sigma Integrated Rule Set (GitHub) 36e24eb60fb7bfe4a61d59d53220df514ceab13a68a4221cf5b7d120d53c4a3e 3629 467
Bypass UAC Using Event Viewer frack113 Sigma Integrated Rule Set (GitHub) a0f94cedc18c397f576619978b15265938adc1cba9d431467d50db98d8a79972 3612 7
Xwizard DLL Sideloading Christian Burkard Sigma Integrated Rule Set (GitHub) 96b3df20cf0336e4751b0a85d9786ada6ce7185e05988a511f646967e712cc1d 3571 9
User Added to Local Administrators Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 534ecedeba777d436d37888757fcae6c00842f791bdcb6c39d8c804ab3c6a535 3525 57
Windows Defender Exclusions Added - PowerShell Tim Rauch Sigma Integrated Rule Set (GitHub) cf863dff3d564c975d28d336cb7981fcd6956e6fb9afbd2794f600b130e83171 3510 65
CMSTP UAC Bypass via COM Object Access Nik Seetharaman, Christian Burkard (Nextron Systems) Sigma Integrated Rule Set (GitHub) a30845acd045e920f165087e59ac6d9461f6c4bfadfa52e4c518e3bcb9d8cb0c 3501 17
Suspicious Network Connection to IP Lookup Service APIs Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7b06f86400ae084ca05c7e2cefe70b8ea4910b6196d969ae516b9d5d1c99bfe5 3476 59
Vulnerable Driver Load By Name Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8f6a6cfb95501925772edc51e1db78dd76eea0e212ed3a9923b1a0de9d552371 3434 998
Suspicious Powershell In Registry Run Keys frack113, Florian Roth Sigma Integrated Rule Set (GitHub) cfe58f03c01bfef6fd133a3da09440cc5613a5dbeb310ee795cc443e18538943 3176 88
Powershell Decrypt And Execute Base64 Data Joe Security Joe Security Rule Set (GitHub) d77da6b7c1a6f6530b4eb82ca84407ff02947b235ab29c94eade944c4f51e499 3161 6
Potential Persistence Via App Paths Default Property Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) cef4d3e30776e7c2f6f9875e0ccd23b74182701da04f922481d50f37c50281d2 3139 1320
Suspicious Process Discovery With Get-Process frack113 Sigma Integrated Rule Set (GitHub) b0d225f3239543a37159ba2855ee1e7972c6bff3c83ce7aed9056599f6ee6314 3137 700
Dllhost.EXE Execution Anomaly Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 55e193a1988b8c8a7a5a6a43dd2962320dedbc26a63c88ad59d1df2fa6897da6 3061 22
Windows Defender Threat Detection Disabled - Registry Ján Trenčanský, frack113, AlertIQ Sigma Integrated Rule Set (GitHub) baa17a6a8681c2a3d925f497f9c81458eab98535fd28d8909861aece2b9cb901 3039 45
Potential Dosfuscation Activity frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 3ced86caf89e0cb118bce2037de20fae8f9a70e400916dcdd9c2ee1eec7c58c4 3001 48
Powershell Base64 Encoded MpPreference Cmdlet Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) f86d8f196029958699a0b36a9a1a254d7c1bfc594fd486ee04c1e4988965f3b2 2955 229
Sticky Key Like Backdoor Usage - Registry Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) dd211e6e9cebdae07f1d14d61650061c791829402d134a1a9e064ae72b6c4cd9 2936 67
WinSock2 Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) Sigma Integrated Rule Set (GitHub) 688632515df3a00cecdf2ee4e9316bea52edf73c9cb0889c10d336de857c293c 2927 296
Rundll32 InstallScreenSaver Execution Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec Sigma Integrated Rule Set (GitHub) e6082733e3e0087a0d92bb4d25eb43218d2a86b3681b4d5ee37ab8c2e6ecde4d 2839 917
Suspicious Msbuild Execution By Uncommon Parent Process frack113 Sigma Integrated Rule Set (GitHub) 99aac26486266b4916c883cf9ec793784cff9e6617ed361b8c47f7972a4baf46 2800 11
Suspicious Invoke-WebRequest Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 56fe16e9bd72e77ff37f1ceaab3ee67231b676c732b7ff10556298e7a60590e7 2775 499
A Rule Has Been Deleted From The Windows Firewall Exception List frack113 Sigma Integrated Rule Set (GitHub) 67a0e8c868b0d9e328cacb80b1deb06682096f1919a50ecd953a8b4cc9a1d01e 2754 2174
New Firewall Rule Added In Windows Firewall Exception List frack113 Sigma Integrated Rule Set (GitHub) 67d7bc69b082fefa483232989806870ecde5e6bcb70d0db262c428e845ce0eff 2754 2174
Windows Firewall Settings Have Been Changed frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 693c36f61ac022fd66354b440464f490058c22b984ba1bef05ca246aba210ed1 2754 2174
Powershell Execute Batch Script frack113 Sigma Integrated Rule Set (GitHub) ece68c3b6fda1fe5c7d8707c5dd9099cf564ed0e7e7b480e97278c475f10e5a7 2750 201
Directory Removal Via Rmdir frack113 Sigma Integrated Rule Set (GitHub) d0d48610cfc4076f9598a2787593e35702aa291f3772b3678c8025aacc26c35d 2747 712
Disable Important Scheduled Task frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 09601976d693769f1fe442a0618410420380d7de7aeec4e52c0ebe6e3ebebe56 2696 90
Powershell Download and Execute IEX Joe Security Joe Security Rule Set (GitHub) 317ff64a1d49452191210f7b55d7201e483352440ec851a9c716f6be7cfb7ec9 2692 119
Suspicious PowerShell Invocations - Specific Florian Roth (Nextron Systems), Jonhnathan Ribeiro Sigma Integrated Rule Set (GitHub) 7d262d8417cb03b2a9d2b935ae55980f22abc3aa7cffc36e57eda761068226dc 2690 175
Suspicious Scheduled Task Creation via Masqueraded XML File Swachchhanda Shrawan Poudel, Elastic (idea) Sigma Integrated Rule Set (GitHub) b0f576aead127b964909d75f26e113ee55e88fb8d2bac31fe4a5c12337b4f327 2683 13
Frat Trojan (Loader detection) Ariel Millahuel SOC Prime Threat Detection Marketplace e5340d719fcf66efd2a0ce9db73895f3154a53e10e72e001760230ca6aa22057 2676 0
ChChes Trojan (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace a515be8db5d265bf43ba29f21c53f4e482fa0f7db4acc10054e85bc0c516a7ba 2643 445
Share And Session Enumeration Using Net.EXE Endgame, JHasenbusch (ported for oscd.community) Sigma Integrated Rule Set (GitHub) 7cb4a3985bd24a137550fa4c49b1da3fb949c3cf182a90950438e97aaad46378 2643 384
Use of Anydesk Remote Access Software frack113 Sigma Integrated Rule Set (GitHub) 0c4da16b3166fbd90cadb96254a8be0f74828fc4eb967256ac0483d9d0a10a96 2616 1127
Pykspa Malware Ariel Millahuel SOC Prime Threat Detection Marketplace daabc950b44baa5580ce5e56de6f2f363ce1854a5273ffd3ac321453e35a83b0 2603 31
Shell32 DLL Execution in Suspicious Directory Christian Burkard (Nextron Systems) Sigma Integrated Rule Set (GitHub) fbd6086058f7f1742827e4bf39c6a7b3d7cc32120c2f2cd39a924363da2fe8f6 2596 2
Suspicious Ping/Del Command Combination Ilya Krestinichev Sigma Integrated Rule Set (GitHub) 2e58fcf707ea25a6c7465ae2a0d4b35ff302cceb7b8fde4ac5d3467d832e005e 2564 531
Add DisallowRun Execution to Registry frack113 Sigma Integrated Rule Set (GitHub) aaeb77150a9427eedfb3c4c85538e120e703cd22905d020b93856bb7ebdb03a7 2561 0
Suspicious PowerShell Keywords Florian Roth, Perez Diego (@darkquassar) Sigma Integrated Rule Set (GitHub) a5f575ade1f2aaba452086d3418d8a893e94b28e30da42ad98b58df4a4fe9c2d 2560 417
SC.EXE Query Execution frack113 Sigma Integrated Rule Set (GitHub) 373890127a34a7d314b3d10d451aaacb806579ec3e9ed2515dbdd0a4d4bf7860 2453 881
Firewall Rule Modified In The Windows Firewall Exception List frack113 Sigma Integrated Rule Set (GitHub) 1b4845df7f68549988add5335d4685cb047e4eaabd5768d84a5483935b0d5499 2421 1905
Trickbot Malware Activity Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1c7a83aaaaf300f7e44e597465797c7e812cc0c684756d1be37d0ac7acf0dc5c 2406 0
Pyvil RAT Ariel Millahuel SOC Prime Threat Detection Marketplace e1ca1eef7de3f782d09979e606d626e690c8a52046acf75e7a5de3203cd0a570 2376 821
Net WebClient Casing Anomalies Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2b81c8afee92062579f4f19ea901c1194542107857913a32a13108debb721c71 2363 20
Potential Crypto Mining Activity Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6bbafdf03b2a79de4fa71f3fec777333b907de6172939c7a35b5bed23d4a4b82 2325 3
Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell Markus Neis @Karneades Sigma Integrated Rule Set (GitHub) 1ca8739651295d88708cb5ddfb7a115ae0d202152a80ee4c7871e62f3509c938 2322 4
Suspicious Characters in CommandLine Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8d9898d05ff5a6ca099b0ec5f7aee9f3581d649c0ac4f2cf24f874e95d19d5ac 2317 329
Ie4uinit Lolbin Use From Invalid Path frack113 Sigma Integrated Rule Set (GitHub) 186b21df711a2c225bc97a789a6794326e96247d7982569c6a23484bb7fd61fa 2286 481
Suspicious Group And Account Reconnaissance Activity Using Net.EXE Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6782835a8af9329207a47fe5076c3dff20a8803bafbda97ddc938ae379eaf8df 2266 202
Suspicious Execution of Hostname frack113 Sigma Integrated Rule Set (GitHub) 87d10b87f13ab6dd0ee17c311d476bcf6fce51f746e639542c1c6c08b6ae8071 2236 472
UAC Bypass via ICMLuaUtil Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2219766fcc5e77936dbd9b7310a20b2ba3f5b4aac858c6ac312c81fcc2838d4a 2206 15
Delete shadow copy via WMIC Joe Security Joe Security Rule Set (GitHub) be6d29855558a0e8c404486d8f1838ce35594866f126f9c1c62a9792e9c76be2 2134 12
File Download Via Curl.EXE Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2ba177894c99b540ea867640a2706237f274cc5b176aeae69bbe985e11bb1b06 2123 1052
Conhost Spawned By Uncommon Parent Process Tim Rauch Sigma Integrated Rule Set (GitHub) 6f60707627a0617e86bd3005d8ce73a34fa6e674c0169d593509953d67bfaa2e 2111 504
Potential Suspicious Registry File Imported Via Reg.EXE frack113, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 7c610f9de41fe35b34a2cbbdb30ffc39573016dafe890f4164dae07613c21fd7 2096 429
Suspicious Execution of Shutdown frack113 Sigma Integrated Rule Set (GitHub) 157ee4e95270f64481c50464c0e4766830e1e2b38b214a98f9e3f977857c6c69 2075 287
Office Macro File Creation Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 27801b0f98df1ce7686b07b693c59e734c47189ef3db24ea1093f6f00ff2ed67 2049 1180
Suspicious PowerShell Invocations - Specific - PowerShell Module Florian Roth (Nextron Systems), Jonhnathan Ribeiro Sigma Integrated Rule Set (GitHub) 355b439d3a90c89090f6f266afd2306ad6a03e5ca79228ad1be6e9cb6940491b 2046 28
Remote Access Tool - NetSupport Execution frack113 Sigma Integrated Rule Set (GitHub) 65cfc106cf4668ef2ff3c230ac24edd977515d2743358a7e4015e31ea26a4cae 2025 191
Windows Defender Real-Time Protection Disabled AlertIQ Sigma Integrated Rule Set (GitHub) 19a5c3cad343931aed1e013cfe07ab95ba7b853ee5b40c6828fc766529e602bf 2003 26
Potential Product Class Reconnaissance Via Wmic.EXE Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community Sigma Integrated Rule Set (GitHub) fc6236ee6917b72dac2442d623fbec008944e69e1788346494f1f98b38acb5c9 1979 88
Registry Hide Function from User frack113 Sigma Integrated Rule Set (GitHub) 82ee39002b5715b57e2aa8b1d93068fa1c6e7147795a59563c5812d827f7f3de 1938 10
PowerShell Script Run in AppData Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) 4975d97d556849fe2e336bf1c8a5012b84eefe1d4059c527aaa8ec3f903022b2 1934 432
Register Wscript In Run Key Joe Security Joe Security Rule Set (GitHub) 530f42d2839f1cd12564a3743f6b294d960920a76da960e2c17e5337c43df9c4 1934 22
Windows Defender Threat Detection Disabled Ján Trenčanský, frack113 Sigma Integrated Rule Set (GitHub) 41872a2c86ff9bf310cf8a81b0235040c25793f1fe6255fdc5bf771cd716ddfc 1912 1145
PoetRAT detection Ariel Millahuel SOC Prime Threat Detection Marketplace 8d515240682e798faa78be0b976770c35f93bbf484d6a3876b1f640670a5aaee 1879 4
Use of Forfiles For Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1b7c75c23f2baad2051b96c094a3e6fd1d3f27a92c0518c2cfd7257229c57a72 1867 129
Uncommon One Time Only Scheduled Task At 00:00 pH-T (Nextron Systems) Sigma Integrated Rule Set (GitHub) 85cd399008ef4733657024eb14bcee01c9eda5cb5a070f2f186550293ebe4d29 1858 19
Suspicious File Creation In Uncommon AppData Folder Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8c035500d22804f658be72a55a2b5d591891e0a77e57447d0f0c6f62f89e9ade 1852 65
Parent in Public Folder Suspicious Process Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 84c8381801022afb55be7429db7a75474adba79984c4b957f33c62e931b0f282 1850 5
Common Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name) Sigma Integrated Rule Set (GitHub) aa1c4ee10caaa9d521b34246c51e0c22c8af0a4b7fdb1cdd9faf1182ef6dd14c 1840 11
Wab Execution From Non Default Location Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ee4aa57ce6316f4a46bc9e62a1748e7d5d687ad6315114f4d4eff654910c961c 1837 150
Reg Disable Security Service Florian Roth (Nextron Systems), John Lambert (idea), elhoim Sigma Integrated Rule Set (GitHub) 0c3e5c376a4a569ab4a4f3217dd009bb34e695e5fa82da85111db47f2b801bc9 1809 91
Suspicious PowerShell WindowStyle Option frack113 Sigma Integrated Rule Set (GitHub) 5e2ea8c055dd73ea66238735323d0318c2a6c114047137146357b85f764b1101 1790 161
Suspicious Program Names Florian Roth Sigma Integrated Rule Set (GitHub) 3dd877e77def39df894b8703b956bdc819796feea2cf44bef9f73339d5a37b5c 1768 184
File Dropped By EQNEDT32EXE Joe Security Joe Security Rule Set (GitHub) 4740c645e33c5fbe1595ad953f030f0aa29f78fcbd141282536d02587eb05d0f 1764 0
Frat Trojan (Loader detection) Ariel Millahuel SOC Prime Threat Detection Marketplace ba827fe25e86d6bf964385767d27442482e273923ce0185d7c335239fda7a2b2 1764 0
Suspicious PowerShell Download and Execute Pattern Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) bdb4652f83b1c4482478b0c14bcb08d332fcd600a7303ab1c709c543499be726 1708 36
Gzip Archive Decode Via PowerShell Hieu Tran Sigma Integrated Rule Set (GitHub) 0df382f7e3b997a4d0a5cf1e3096ed303ea8bef29d4a223899b1bd70c251bc33 1697 478
Possible new Cobalt Strike dropper Ariel Millahuel SOC Prime Threat Detection Marketplace 3cb32dc8f1ba61964f235761eac5b49d22264f521e003ce641a508eaff8d0eec 1691 583
Application Removed Via Wmic.EXE frac113 Sigma Integrated Rule Set (GitHub) 51aa013b39842efa6b0daa94240755c0d8b9d7b71b5cf5cc482247a3c7b8bc57 1629 363
Winrar Execution in Non-Standard Folder Florian Roth, Tigzy Sigma Integrated Rule Set (GitHub) 99b7b3abf0ce8f702d10cc3f120ed16591df3c13fbda30b46e0623d93cdac439 1628 731
Squirrel Lolbin Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) 556a1aa7c513ecf9a4f6edfb0176deb074a2cf1447650e01766fe9efee338c35 1618 782
Set Suspicious Files as System Files Using Attrib.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) afdcecbde34527044e8c4c24e502ed3dfae6daa2d07665ad18226afff77ed6fe 1615 42
Finger.exe Suspicious Invocation Florian Roth (Nextron Systems), omkar72, oscd.community Sigma Integrated Rule Set (GitHub) 7014c2ce26877573641173ba99dcd8d8af4f637986c42be19651a8a37c5ead6f 1607 39
Registry Modification Via Regini.EXE Eli Salem, Sander Wiebing, oscd.community Sigma Integrated Rule Set (GitHub) 876619ed554fa68bef3ccfc88d359efb8c1f05d0781e13279ff3c4ff29f4989d 1591 191
Suspicious Certutil Command Usage Florian Roth (Nextron Systems), juju4, keepwatch Sigma Integrated Rule Set (GitHub) f1e311405e4ccc1c99ed8213bdc24b813560700daa47ca78033edd0d8993ba04 1556 217
Wscript Execution from Non C Drive Aaron Herman Sigma Integrated Rule Set (GitHub) 2f480881c25523a22197ce2abfca8d05a61f804534f8a053fbf65303a9375332 1548 108
Lolbins Process Creation with WmiPrvse Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) Sigma Integrated Rule Set (GitHub) eb1dbd652c505f66652af5683ecfecaacb1483523b07254e9d1eaee151af6ec9 1494 2
Powerup Write Hijack DLL Subhash Popuri (@pbssubhash) Sigma Integrated Rule Set (GitHub) c50b384b3d0f5d468c48abf6ac8fd6095727405ed00d170aeadf0fc1b4add34b 1491 47
DriverQuery.EXE Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a67413f6ee51de2df640e8a66bd1d745d4e44207f484cbd3b33ac3b3fcbb0688 1458 92
Creation Exe for Service with Unquoted Path frack113 Sigma Integrated Rule Set (GitHub) 3b925709ef1196fbdf20c495c5a7972944bd56a4ab342009ef41e3f3273c15af 1448 0
Boot Configuration Tampering Via Bcdedit.EXE E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community Sigma Integrated Rule Set (GitHub) 2da0b3cba5dc2b56e1426049598590c54a224e6d15740b9b07c108e089c84520 1447 47
Windows Defender Threat Detected Ján Trenčanský Sigma Integrated Rule Set (GitHub) cf90b923dcb2c8192e6651425886607684aac6680bf25b20c39ae3f8743aebf1 1445 1143
Suspicious Recursive Takeown frack113 Sigma Integrated Rule Set (GitHub) f3043e9cf491489279145a8ffefa67bbe2fc398be8117092c11cdfdc2f9768e7 1444 1048
RunDLL32 Spawning Explorer elhoim, CD_ROM_ Sigma Integrated Rule Set (GitHub) ac298c53d8d1f5e60dfe82fb023ca044b4a7477be65c3b5eab997e0e9cf64528 1436 140
Remote Access Tool - NetSupport Execution From Unusual Location Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0c574c15cc6c9a17edd7b81b15044dd26631d2a7f6c2d428c6d68d9816e6b84d 1403 113
Ilasm Lolbin Use Compile C-Sharp frack113 Sigma Integrated Rule Set (GitHub) 611acd0c150597ac4f2758e96797e2e85ce476be43fdec2817e9cd8bcd44de66 1396 132
Potential Emotet Activity Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) ada08103432e4112d167b1d10f0fc02281936c8fcb181de17d5bca07755bac84 1373 4
Legitimate Application Dropped Script frack113, Florian Roth Sigma Integrated Rule Set (GitHub) 2d15bc5d08223728e30ed4330ad99024b1467ac8ddb073e7ed368b0468898e80 1366 324
Whoami.EXE Execution Anomaly Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 05b85f64fdf521b059aab9daf9d75829fa4a5febd27fe09ac0224e405b57a654 1355 188
Browser Started with Remote Debugging pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4eba2a7f729f2c02ec972ed01919c8bf5d2b8493f9d6a934f14cf0d3a55d14db 1344 135
Service Reconnaissance Via Wmic.EXE frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) d9ee3f478c792e1c6683bb60949d7041271eaeee5e5927b518a6f65e7da2607e 1295 80
DNS Query Tor Onion Address - Sysmon frack113 Sigma Integrated Rule Set (GitHub) 674f76f777472c9d2fd1dbb116a9a1a6bf35dac71c41ca14a21ac0493d7f471c 1291 87
Powershell Token Obfuscation - Powershell frack113 Sigma Integrated Rule Set (GitHub) 0328ed59c29ebeee509b67ed087523a3cbfc646542f343aa12f9b1bbd64324fe 1265 408
Suspicious GrpConv Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) aa2a49ac8cb28455a3f30cf373b4ee1ade0b735bc1db5a574956be8f95fcf6d7 1253 470
ilasm.exe execution Den iuzvyk SOC Prime Threat Detection Marketplace 382ffab0f18db16a9fabc5be94893af76646b4a1c35d436ba2ae16961943008e 1244 42
Writing Of Malicious Files To The Fonts Folder Sreeman Sigma Integrated Rule Set (GitHub) 50cc064f594178311fd316bf296afdcb85c962c45cbc15ab0984ca5de2940d67 1221 4
North Korean RAT - BLINDINGCAN (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 6bb61b38bbb774f185f535cafe7a2fc3b848377409dde9963a571d825562c79a 1220 1
Potential Rundll32 Execution With DLL Stored In ADS Harjot Singh, '@cyb3rjy0t' Sigma Integrated Rule Set (GitHub) 115d14851bb2ec7497bd4b28be653bf38f285d93d2dc7bbe1c9c7ac94a76da3f 1211 286
Suspicious Curl Change User Agents frack113 Sigma Integrated Rule Set (GitHub) 93f12e3e5c1af45ad5cce51fca771889beae9d1da27d23d889c557f217fc803f 1203 13
Usage of Renamed Sysinternals Tools - RegistrySet Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 96f6bdacbe2704258d0efb6732980de5d8c8fb4c21f34072ec9e4e2267271ec0 1189 116
Cabinet File Expansion Bhabesh Raj Sigma Integrated Rule Set (GitHub) 2c33916c73b8057eb865f965b0e9e05fddeae85fa5405eee775a7df4cd58173d 1187 390
Use of UltraVNC Remote Access Software frack113 Sigma Integrated Rule Set (GitHub) b6d588df62f37e97081e8f05b809fb56a925b1514f359dca67c7b51fe46c6812 1184 297
Suspicious PowerShell Download - PoshModule Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 69130b2eb287f08303a7092222cc3a0be896a066b64f8b32f96d08ff4708e37f 1175 53
Change Default File Association To Executable Via Assoc Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7fb55b14b0522200d56a9829ce919bc7a3bb320b473d376575989fde5e57f8d3 1170 0
Possible Ransomware or Unauthorized MBR Modifications @neu5ron Sigma Integrated Rule Set (GitHub) 388ce51cb79d4deced7fce86e5dcf1e2eec1c04720fb2fc7e451d12abbd53416 1170 324
Bladabindi backdoor Ariel Millahuel SOC Prime Threat Detection Marketplace f47281ceea7e998eb629b82b6be68c1aaa23f6b18111420b7a52cd72b575f527 1169 1
Always Install Elevated Windows Installer Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community Sigma Integrated Rule Set (GitHub) b7188ffaa64031d83c409b5110885c29570d52a6ba3bacaee0392371cf071016 1154 473
Excel Network Connections Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton Sigma Integrated Rule Set (GitHub) cfd44c3835317e846b18021a9060f4b9b011294ec53eb3ac1fad568abeb37922 1140 899
Relevant Anti-Virus Event Florian Roth, Arnim Rupp Sigma Integrated Rule Set (GitHub) 39e7fb552f1143dc6ba79ca293aaea514c20448ec6241a53cf150f29298b942d 1140 185
Remotely Hosted HTA File Executed Via Mshta.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 25fb50db6056bc3db5e2f3d8d53b6ef8b6fad41ac3ecaf0386e316bd1711baf0 1121 52
Suspicious Driver Install by pnputil.exe Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 8fd9d688a4929d85f6ba829ccf0fe235ff5f6bcc6ac25306e6425671b81eaa80 1117 881
PUA - NirCmd Execution Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b206243f31b4de9b9721047301fe3728fcfc85f7c7db682bd477e0d7c41093b1 1112 73
Add User to Local Administrators Group Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) fd4f9d3b927e38cad7f6a36f5f41cae6a1450b551d9506408259953d8d4ee23d 1093 128
Wab/Wabmig Unusual Parent Or Child Processes Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1c3bd5d3931125cc632573be718453c2b36b0f1392032fda05ad4d1982d1c0cc 1091 0
HackTool - SecurityXploded Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b097e888f96f943b0d94d7835326dbbc76b3cf117fd9407832fbace74cb60f48 1086 51
HackTool - UACMe Akagi Execution Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 3c4f6f1af78c01c8d7d6fcdd27c3167044933fcdf73f667e973ce1068765ea16 1055 4
Operation Vicious Panda (COVID-19 Campaign) Ariel Millahuel SOC Prime Threat Detection Marketplace cf68f11f087c4b3b504b67cb0a9e4a499e486a6de10aee0811ab515d3336d7f1 1021 30
CMSTP Execution Process Creation Nik Seetharaman Sigma Integrated Rule Set (GitHub) 4ef4d3aed2ed44386659d6aefb7649de9568189358f367fb8708d1870d19fdc7 1019 80
Potential Raspberry Robin Dot Ending File Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 36337e6a48c8f0ee0480d1739b35c93b2d000d9b86a4ac01dbf80b5960b6db32 1000 669
Suspicious LNK Double Extension File Nasreddine Bencherchali (Nextron Systems), frack113 Sigma Integrated Rule Set (GitHub) a22ff20d7afa397abe4e6127e6da647b437781be86602fc20a88c1403f1200bc 998 709
Malicious PowerShell Keywords Sean Metcalf (source), Florian Roth (rule) Sigma Integrated Rule Set (GitHub) 5bd56545b7e384edee75e378b7ee025e05f6bcb012607cb6425ccedd54fdb070 996 49
PowerShell Script With File Upload Capabilities frack113 Sigma Integrated Rule Set (GitHub) 80e1441e8251586c742da610b4bceb4d94fbe79f4e8b64b9745b6a11da90d7c1 994 220
Script Interpreter Execution From Suspicious Folder Florian Roth Sigma Integrated Rule Set (GitHub) 92acfd50d9fe4d995d6998a5346e4e031ea037d422458bb4f74555a52ffc886c 989 112
Creation In User Word Startup Folder frack113 Sigma Integrated Rule Set (GitHub) f441bf0f20310d2f8fb4c38b047725cf9bafb59c2a7634f73d2d38745157b248 980 59
Read Contents From Stdin Via Cmd.EXE frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0db9fba426142aca003830de31e38a7318ed0a3a299852f6bc4cbe8bc905515f 963 79
DUNIHI Malware Ariel Millahuel SOC Prime Threat Detection Marketplace 7c58e06f9c4bfbbca18106234f802a2f21fcd03ca11bcc0d10c040d1e451d4b1 956 3
Potential Recon Activity Via Nltest.EXE Craig Young, oscd.community, Georg Lauenstein Sigma Integrated Rule Set (GitHub) 1419b2c28c143f7062ef95f941065d5327c65890cab58ade41efd168132d8b3b 928 152
A Member Was Added to a Security-Enabled Global Group Alexandr Yampolskyi, SOC Prime Sigma Integrated Rule Set (GitHub) ba8140e5173f7647dc01d2d1aae82bf84283f52c7aece9e9a61f7f5e75ffe53a 926 47
New Kernel Driver Via SC.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b1f54a781e9cc27de125f11b56abc94639629aaf0f1fdf9072886fde50266b7e 911 405
Powershell download and execute file Joe Security Joe Security Rule Set (GitHub) 1fd2d09eff791a970cc2ad6da0820134ef9d52d4341ab32028edd04e8dd158bd 906 23
Windows Share Mount Via Net.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 9816ac44605bf8e1595ecff4424e6d78357aaa8449a03737687a18866b736909 898 362
Suspicious Manipulation Of Default Accounts Via Net.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4932dce91cb1fcd2986acdfc28c116d5bd4899b8052649b068effd4022c81f8a 897 107
Mimikatz Use Florian Roth (rule), David ANDRE (additional keywords) Sigma Integrated Rule Set (GitHub) 62e99f238afed27b43182594e90243db3ec17324c819a349f12ed55c015e5a71 891 0
HH.EXE Network Connections Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4630d11b74b3a0ee68be5cd7788cbf0adc046f1248a513c2971cf8dd4a03835b 866 782
Suspicious Userinit Child Process Florian Roth (rule), Samir Bousseaden (idea) Sigma Integrated Rule Set (GitHub) 1170a97b19098b92c7fea421765b81d0cea10e0140d9fed3c4d0769718c4b248 857 1
Valak Behavior (Sysmon and Cmdline) Ariel Millahuel SOC Prime Threat Detection Marketplace 7703b5b01adde91ddc9f6ec5a2ba30dd35be11277cad519ecdf5442a8358319f 857 99
PUA - Process Hacker Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 9a58c7a82520f7b9dc792cd56e2fce86b3157b6cef6fb23101ba29111c5e4733 852 37
SideWinder Ransomware (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 1f154d23ec03058edb48ed3380f862daca50719af728e0660a5dc14a5ab5b867 844 52
CMSTP Execution Nik Seetharaman SOC Prime Threat Detection Marketplace 7577d4e0fc2ced5cc24f093d5dca8c02dd117651e5112bee21b6526b7fa34075 828 46
Bladabindi backdoor Ariel Millahuel SOC Prime Threat Detection Marketplace 21b5ec718fa5dffa5785f1bdf68d0bab711e89bf6d4613aab3af0c7d0acdbd0a 788 0
Potential Windows Defender Tampering Via Wmic.EXE frack113 Sigma Integrated Rule Set (GitHub) 3ba90b1c0830dec1dbbd2f42eb503552860963d25a6bbe081b92875c243be50d 777 6
Disable Windows Firewall by Registry frack113 Sigma Integrated Rule Set (GitHub) 2e9f34a4006a3d9169bfe02d2b846c4db28b03c5394e9216e6dac294db0644f8 758 3
Suspicious Extexport Execution frack113 Sigma Integrated Rule Set (GitHub) 942c07d4243aed525402c1e4e2f9880b477ba72abc7023c30c9c10737399e077 754 44
Domain Trust Discovery E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, omkar72 Sigma Integrated Rule Set (GitHub) e5bf067d8fc5f77622680e942156a44de63eda6026750ac80c29d0304dca435e 752 0
Quasar Joe Security Joe Security Rule Set (GitHub) 295f36b4fe50737f7d27a3862ea45297f78efdf77ab2decd501b4a852765ceaf 750 10
CMSTP Execution Registry Event Nik Seetharaman Sigma Integrated Rule Set (GitHub) ffeb4d256edb1234faf30da37a584025d92817eb5a21c5394c4c6d78e3922d95 744 19
DLL Sideloading by Microsoft Defender Bhabesh Raj Sigma Integrated Rule Set (GitHub) 3a9cafc6a4cdfee1d351b5145ef1b7d6a64e707b04945a9fa54298173b7eaa64 739 94
File Download Via Bitsadmin To An Uncommon Target Folder Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 26ba1712f407ff4fbcd023c45091ebd8daf92a2befec4d5f1969002f7eeead49 737 112
Modify Group Policy Settings frack113 Sigma Integrated Rule Set (GitHub) dfec584345112d1012631493a8cdef4a2eb03ea5bd33d360363e24776a148a71 728 97
Suspicious comandline paramethers(shellcode in the command line) Den Iuzvyk SOC Prime Threat Detection Marketplace c6bf20aec5b9dd748265363c7d01846ca0a5fc666f1114770a8bb7f5e764e4e2 724 396
Potential Command Line Path Traversal Evasion Attempt Christian Burkard (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2a64ca949e5ce433b70a21b4be0e71e5ad0cd2465395fd093410ce2d33177cdc 722 148
Copy itself to suspicious location via type command Joe Security Joe Security Rule Set (GitHub) ca9a79f8e23430115778a41aa4671433713b393278e1a60331cbb991a0f30f82 720 56
Potential In-Memory Execution Using Reflection.Assembly frack113 Sigma Integrated Rule Set (GitHub) 912f22774b3e6d5ee33f034551a616aae59ae320fe812cf9c2010432ca80df77 720 230
MZRevenge Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace aa09c929bbf92e934dc584324a80a81643f2c336dba38293142077f86bdde84b 716 356
Suspicious Scan Loop Network frack113 Sigma Integrated Rule Set (GitHub) 14d137deb681ad845cc2e1992b2e9cb3490ddb1372d62da747f4042d7e6b87b0 708 67
Potential Ryuk Ransomware Activity Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 38e5073851afbf6c39ea309703c229e83988c6d3548896a389e9ef8795917947 707 15
PUA - NSudo Execution Florian Roth (Nextron Systems), Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 813ebaa5c2ede1835703f1defdfeae762f95ae97f36a5ee2da94b4b2b0877e5a 691 12
Potential Data Stealing Via Chromium Headless Debugging Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 894bc44621968b8ec9fc62b70f7ecf4d2f1e5bf6ff6c9e1c450929a2f2d8cc09 690 14
Suspicious Firewall Configuration Discovery Via Netsh.EXE frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' Sigma Integrated Rule Set (GitHub) 25c7926ea5dfde7ab41cd4aeebfb89e01d4dcb8b7243522af4f643f690d857c7 688 154
Windows Internet Hosted WebDav Share Mount Via Net.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 958619e5eaecca1767a6c71701ed1838a9cbb62ccabbe7c6a9d8679a3fc0e0f8 688 279
Suspicious Query of MachineGUID frack113 Sigma Integrated Rule Set (GitHub) 5b823c33b4d7a619c0190d52bf60fd92f6768d9bff34fb85446b00ca141f030a 675 361
Start of NT Virtual DOS Machine frack113 Sigma Integrated Rule Set (GitHub) 705bee7ec50dc3b36f21deb0d2cb6e19b1a84d8142bae256797827d59ddcd242 651 71
WMI Remote Command Execution frack113 Sigma Integrated Rule Set (GitHub) c63cb58172dccb53cf9cd1dd7f6a65cc8843987d003bcbb7b0c1e7769c3821c4 637 178
MZRevenge Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace c5132d9b7ddc56b36fc0095350bd8556ff7fc29c750387be3e0344beddf41f7b 617 303
Steal Google chrome login data Joe Security Joe Security Rule Set (GitHub) acba408186cae97e9de5ad46ba35ffdf61f94f181c5287bfd9e76aa1e5293b1b 609 0
DUNIHI Malware Ariel Millahuel SOC Prime Threat Detection Marketplace f4f15f4329fad912838474d3d5eb2925ae7045b2046b5dcf92c7c16c189927b5 593 0
Nocturnal Stealer Ariel Millahuel SOC Prime Threat Detection Marketplace 08655a77d7ea003dba35be4775284dd12a24f9469c9e93ad2d085afe3f4e91d8 589 5
File Download Via Bitsadmin To A Suspicious Target Folder Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a88a5cca5a8f8c7db551190230651c821a8acb62ba7f1da53866381af9c5263d 587 312
Indirect Command Exectuion via Forfiles Tim Rauch (rule), Elastic (idea) Sigma Integrated Rule Set (GitHub) 21c4db1b5b4f502860c9d961662f1f7daa62cf3e4c4c9712977dae1ad368a19e 584 7
Session Manager Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) Sigma Integrated Rule Set (GitHub) 9acd91066b664aa3f4181a28555facbc432bae9a4c8502aa92ceae1de1f31753 579 287
Renamed NetSupport RAT Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) fede1c0268e88b6a7ec369e9c62c124a24ab5c7f9adc969af706be5000e0e8c1 570 108
Regsvr32 Network Activity Dmitriy Lifanov, oscd.community Sigma Integrated Rule Set (GitHub) 047ea96432123c5b2a32816291dc196702b51bd9d49adb2c1673b59dd0018a0c 567 146
DLL Search Order Hijackig Via Additional Space in Path frack113, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) eec4fdc586db73cdad5bc34b172ecb132a75f4607c84cdeef26a811db01918fd 566 7
Python Inline Command Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4eb25eff0b4d84652480301d5845b79be20cecc54ff18737ad9fde16370bcb4a 558 406
Detected Windows Software Discovery - PowerShell Nikita Nazarov, oscd.community Sigma Integrated Rule Set (GitHub) 2f2546b453b2e10b60c4d6b1345bc05c2dc99e42daef2e236a11005d772937ad 536 90
Remote File Download using GfxDownloadWrapper.exe Den Iuzvyk SOC Prime Threat Detection Marketplace 16dd4d7c651cd862752fb483a4e7898c821603b1739b7aecb11298a6e931189e 534 534
Bitsadmin Download Michael Haag, FPT.EagleEye Sigma Integrated Rule Set (GitHub) aca8c04f52d20c1f8ac7c5fda7686124759166ab9439145354e331faaf792bb9 532 121
Suspicious Task Added by Bitsadmin frack113 Sigma Integrated Rule Set (GitHub) 1bd7a375097c5f1afa59522776e79bf741057e59bdf9df33985fe7db095c655c 528 127
Tasks Folder Evasion Sreeman Sigma Integrated Rule Set (GitHub) ab8ea26663a3935bd7f1783455f465a74c106836d5a68c19a61dec68dd2596c0 526 1
Potential Browser Data Stealing Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7f302700c67727730ec082001e9f6840f366aca520673a11d09dd130bfc31429 524 54
Potentially Suspicious Child Process Of Regsvr32 elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7d605643d3d8c564d51574a154eb77dd6009d4c2a39133d7fe93089f5764286b 523 0
Renamed Plink Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0b74fe58c124fa3f0817cadd3efb94d64ded5662336971846facb96d8b01e56a 522 136
PipeMon malware detection (Winnti Group) Ariel Millahuel SOC Prime Threat Detection Marketplace 7f7471486789b0240cf2b95271088889269baee8e3fb42b0cdb6d71d7d37588d 518 376
Powershell adding suspicious path to exclusion list Joe Security Joe Security Rule Set (GitHub) d933fed60e38128e7e3586361ae42b885a5285e04ab14da997282550a77a9059 508 19
System Scripts Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) Sigma Integrated Rule Set (GitHub) e508e0cd0078f2c99fa9a87448bebda5652165ba069b1c9c4a89ecc4a2b385ca 505 0
Spora Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace 4dce473be53cdc44d945acff82c6e5ef53b3304748f9aebc8d4f586230520785 497 129
Weak or Abused Passwords In CLI Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 505504b564af2ed8ba77826b758a9eb5bda1701b18ffd11a5266b48d417692fe 494 150
LimeRAT Joe Security Joe Security Rule Set (GitHub) 667c9dcf6079fd28997e3e2b10b629c8ddbbd7bdffee1889aef6476277791e13 488 5
CMSTP Execution Nik Seetharaman SOC Prime Threat Detection Marketplace 7d8b8c88008f45dc07b07590cdf039437686d441d35e7204ba91a632ebc9439c 482 42
Malicious PowerShell Commandlets - ProcessCreation Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6109e5a50653d03dbabfcf3bdf71fa77c6e2430050d589990fe4869424a68d5f 479 98
Potential Startup Shortcut Persistence Via PowerShell.EXE Christopher Peacock '@securepeacock', SCYTHE Sigma Integrated Rule Set (GitHub) 537a092527e25f9e54a3ddb6667c0303fbda5891d2f933ec0fc62bd4a5572cb4 471 49
Suspicious Msiexec Quiet Install From Remote Location Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 62641a1f33f67c78cb5f920f86788ab9e084dd90a20f1bbe56bd0de87f85b129 471 133
Use of Squirrel.exe Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) a7aba66fc56c50a87fc053cf4dbd37af1845fac642e98272db5c4d804dc66de5 468 273
Potential Persistence Via Notepad++ Plugins Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1492d5fa8f02d4d7ce8b5c279841da26a3dae0da5562729690d1875944341bc0 461 152
UAC Bypass Using PkgMgr and DISM Christian Burkard Sigma Integrated Rule Set (GitHub) 5b0ad2dce2b0a9bde121d5016b3379c08f507ccce3f43e43a65fe518a16ba50c 460 26
CMSTP Execution Nik Seetharaman SOC Prime Threat Detection Marketplace 58d4fbfb0b53744348e77deba3d12df957601d7b27fda30abc676523e9634cda 451 11
Cmd.EXE Missing Space Characters Execution Anomaly Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4bb625c721776edc38f264e032f4677eecbdd60e011a95fa267baee02fc262c4 450 39
Suspicious exeplorer.exe execution Den Iuzvyk SOC Prime Threat Detection Marketplace 2f0a10e6befc35eb8cf3d8af89b1db1a84a53b5aff114a90c2d1b0a3a697d1ac 445 29
PUA - AdvancedRun Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1acf8a5bd4b9da5f502c337d49e41685a8b09ec964d979cda876f038871b43fa 444 17
HackTool - Rubeus Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 74f9a93f96bad4ba440f105a789ab5905ef284191baa105737e7ac861d13bd44 441 0
Shells Spawned by Java Andreas Hunkeler (@Karneades), Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 0eced37f0ea111b4f9b0de81cecda56610adc30fad4061274a488187f71b395d 441 67
Malicious behaviour on user login (Microsoft Windows - c0d0s0 group behavior) Ariel Millahuel SOC Prime Threat Detection Marketplace bf0f7d2a84916abcc597e4a38a6231519b38af0223147ef15e28c7ab83f47c7d 435 119
Operator Bloopers Cobalt Strike Commands _pete_0, TheDFIRReport Sigma Integrated Rule Set (GitHub) fc1c644d943e763e67a7951dbec3c33d1e4710aed85f336a114eac8b43c735f5 433 13
Copy file to startup via Powershell Joe Security Joe Security Rule Set (GitHub) f81996947f17d7a0b11829404a9a1b42e1041d6d013b0021dda3bbbb35dfa106 432 1
Rundll32 Without Parameters Bartlomiej Czyz, Relativity Sigma Integrated Rule Set (GitHub) de72fd0fbb1418b8eddde8492f15f221fc84e0ca0d3ca576ccd0ff897fb98037 424 1
Run temp file via regsvr32 Joe Security Joe Security Rule Set (GitHub) c70694dd88c0a5a32ad8a52ef4ad97a6525c281308ba84e791661580aab19264 423 86
Windows Screen Capture with CopyFromScreen frack113 Sigma Integrated Rule Set (GitHub) f8a626af728b3adf32c5a523da76b149e1f41d45e55c4f3b2cb7895c3920b449 422 39
Disable Internal Tools or Feature in Registry frack113, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 86c36bfac526414900d3b4c6f66d0b7bb2cf11a511b7ad65c486685dc8d4d05f 419 10
Automated Collection Command PowerShell frack113 Sigma Integrated Rule Set (GitHub) beee5a67cef9cbdfd4d0e1db0dc60dff160df233b0948d9988a2ca819a41727c 412 68
Suspicious Download From File-Sharing Website Via Bitsadmin Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 54145fc7feb54b73cba1cc24c4cd84fd7f99ba4e75cc334003bc39785217bc30 400 77
Tor Client or Tor Browser Use frack113 Sigma Integrated Rule Set (GitHub) 5e1ab62fc9383aad72ce1011e101e15342e386adc35483e383f335b0e5904f84 400 20
Malicious Nishang PowerShell Commandlets Alec Costello Sigma Integrated Rule Set (GitHub) b80c35f99523537c476487e505edb0c210eea308fa18707fdcd5aa54d136e3ce 397 32
Lazarus Activity Bhabesh Raj Sigma Integrated Rule Set (GitHub) 735c9c8d6f2afa0f395d670a4d21f211de96cbab610a1a63b20bcc981d975f0f 393 1
PUA - AdvancedRun Suspicious Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 75719e469ef20b32e309a7f6531a0e2548349e059e4c4d943740490e0dd8f526 387 0
Malicious PowerShell Commandlets Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update), Georg Lauenstein (update) Sigma Integrated Rule Set (GitHub) bbb841b3f1cb3bdb122737ca0755cb93d982ecca4651de2822af469b59071f87 385 53
PowerShell Deleted Mounted Share oscd.community, @redcanary, Zach Stanford @svch0st Sigma Integrated Rule Set (GitHub) 7d4fc33c33fc31d17a2c9ee04cb6e1114c58cbeec3fa2b7cd4f5502b2d28d6ba 382 135
Set autostart key via New-ItemProperty Cmdlet Joe Security Joe Security Rule Set (GitHub) 20d65fc22a4ca2deedfc3a40bcfd0522766c18fa1ebd190b9d8fd068ee94ec0b 378 10
Enumeration for 3rd Party Creds From CLI Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 9459f67b1253cc08abbddb96a073b963a102b013d6fb679d6a0273540ad7b19f 375 29
Potential PowerShell Obfuscation Using Alias Cmdlets frack113 Sigma Integrated Rule Set (GitHub) c085cde9af85b182e783b8d7b42d66d3d0efe08696b4fe7946da3d5d1a2cd51e 373 188
Powershell Exfiltration Over SMTP frack113 Sigma Integrated Rule Set (GitHub) b09b9f74febb3e25b3de69614b6193a2740c00fe9e7ccf5e62f503de56c5c1bf 371 132
Rhadamanthys Stealer Module Launch Via Rundll32.EXE TropChaud Sigma Integrated Rule Set (GitHub) de0e634fa9106c661586ec7674b77259237dd3f5bd92358ce52a278d05072e99 367 2
File With Suspicious Extension Downloaded Via Bitsadmin Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6650c06d796cadbfac3560efcd86cb681d552bf6cb9c4d1fa9b6c82b556ae087 366 87
Suspicious Scheduled Task Creation Involving Temp Folder Florian Roth Sigma Integrated Rule Set (GitHub) c81c0126a6006ad9dbec7215030642dac0a918f133b33aa4c077f9676d84cd58 365 0
Use of CLIP frack113 Sigma Integrated Rule Set (GitHub) d1138c20627ece208ac948647342866415641b06510830449eb2bf7d2f32e4af 361 31
Suspicious Epmap Connection frack113, Tim Shelton (fps) Sigma Integrated Rule Set (GitHub) f7111a6bcb3ca53bd2233e4c87e194a56653dc72a81d92c78e707b7348c4f241 342 8
Suspicious FromBase64String Usage On Gzip Archive - Process Creation frack113 Sigma Integrated Rule Set (GitHub) 7ba93fc93efb5d8901f3061f6c7f586575a9b70f53e7c4e4241975131258aac9 342 0
Suspicious Rundll32 Execution With Image Extension Hieu Tran Sigma Integrated Rule Set (GitHub) 9103c9abde5b20f2b8e59ee53ea823a7c4e9d171c3f07a383b2ee7c0b3f792f6 341 140
ScreenConnect Remote Access Florian Roth Sigma Integrated Rule Set (GitHub) 29112c1d912aafdd95b322ff1127f1fde6560b1d2e3dc1484d11d9d222af7435 339 10
Schedule script from internet via mshta Joe Security Joe Security Rule Set (GitHub) a3c2a24a999f3a9870f6ace27e73e7bdf30d18dcf0bc4873bfe196f5bec81ad4 330 2
Suspicious Whoami.EXE Execution Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) accf31ff0e1e1b6219d9c964b9ca9832458e71ee32cac96d64cb26de422128f2 326 67
Potential Persistence Via Shim Database Modification frack113 Sigma Integrated Rule Set (GitHub) 8c893b41c5a28ef36c6b16d709f057af26436898776837e685d30b93672c2de1 323 103
Remcos Joe Security Joe Security Rule Set (GitHub) b50b6d86173debc4d608b981e7d6b5136092c515286d20c0eafcce3b7c411dde 321 0
credwiz.exe DLL side loading Den Iuzvyk SOC Prime Threat Detection Marketplace d83f2abd95409ecc8fb4d4930072a48b4a677def3d31b022a95e99d5873fc27a 321 34
Register DLL with spoofed extension Joe Security Joe Security Rule Set (GitHub) ff70195d476ffa7a3d8e0b1503ffeca1e8707431b00403dfa695732599b571f5 314 203
Disable Windows Event Logging Via Registry frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7496876fb48565b8278bf669ff38b2846b842f9f663b755f72c105f928ae76c6 311 70
Renamed Mavinject.EXE Execution frack113, Florian Roth Sigma Integrated Rule Set (GitHub) 7e9ffe282ed5cf9a47857b911d7d92611b0af4f61bfe1bf89131f57080e0100c 308 31
Extracting Information with PowerShell frack113 Sigma Integrated Rule Set (GitHub) 4e243e6a618f306cfd754df3b30132c4fa518c4ad26b6d755244064cd3110b0f 305 157
Zip A Folder With PowerShell For Staging In Temp - PowerShell Script frack113 Sigma Integrated Rule Set (GitHub) 4f19758bce122aae71a356110cf88e95df101e099a2b95e2472e44201244475d 302 17
Suspicious Chromium Browser Instance Executed With Custom Extensions Aedan Russell, frack113, X__Junior (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5511a10e5fd658ddc15e8b7fa4c8cc7cd60289f6e54d703f50a9f3a8134ab796 289 6
Powershell Install a DLL in System Directory frack113, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 51fc69e23d6cd3acb20d821dbe95596fb6d8cc314866c51a6a23033b83818ee8 282 68
Use of Wfc.exe Christopher Peacock @SecurePeacock, SCYTHE @scythe_io Sigma Integrated Rule Set (GitHub) 828fcf5b0d289ec191b7e622d323a6e6def6af24a2d4aa575f7f8543ffd3de0e 282 33
Office Template Creation Max Altgelt (Nextron Systems) Sigma Integrated Rule Set (GitHub) b52847695c6477e59d07e791f5afc7389180b1087054b513284bdbadfe15f22c 278 59
Powershell Token Obfuscation - Process Creation frack113 Sigma Integrated Rule Set (GitHub) 6dd3abd7ee97d24f91e01e6fe236e6d2b8b12c2943ed9bb875e5613bf3deb8d6 277 15
Potential Tampering With RDP Related Registry Keys Via Reg.EXE pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport Sigma Integrated Rule Set (GitHub) e56cee5542b4c0d63057ea40087d4adf80e75c85d61d4c444e7b3f9b64a62cd5 270 77
UAC Bypass via Event Viewer Florian Roth Sigma Integrated Rule Set (GitHub) d37f057d76500ae8527178a9ea367395f2bde798f1cd048621be74f915b28aa7 270 0
Check external IP via Powershell Joe Security Joe Security Rule Set (GitHub) 4b3ac3a4fac3672c92791075c26f1e10555eb3385628b923bccd8cbbd5dc83a1 269 33
Renamed CreateDump Utility Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) ed9dd3a8bde9d3f74318eae5a66dc75d50f12cb32fd6854fb7289d91507b60c9 268 217
Outgoing Logon with New Credentials Max Altgelt (Nextron Systems) Sigma Integrated Rule Set (GitHub) 55191fe8fd6505fe4952b024afcf9016670b4fade05502947a91ca4d3558d59d 264 39
Shedule hidden powershell script Joe Security Joe Security Rule Set (GitHub) 9277300d8dfe7cfc29e41129553c4d7c59c4b709d4b1716c8fe9cc037c9bc29d 261 8
MSBuild connects to smtp port Joe Security Joe Security Rule Set (GitHub) 86905c36f5c4e855311f702723eec0c6a4dc9e9992fcec9b2ddcce685b7c2e09 259 0
AMSI Bypass Pattern Assembly GetType Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0a84db82d1740ebcf2c704e4d71ef3e033441b714135baf3b4025983a8c4e14a 251 1
Potential Suspicious Activity Using SeCEdit Janantha Marasinghe Sigma Integrated Rule Set (GitHub) 49aac70aa91f01a7539b5678a4fd244f32b078c30cec03a7ca460298d59a2a43 251 138
PUA - Advanced IP Scanner Execution Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy Sigma Integrated Rule Set (GitHub) eba28e9e2b6ff9e170e3534ea8b1e863757d5c976a9a84e4bbf5bd6ffeea5325 248 131
Use of UltraViewer Remote Access Software frack113 Sigma Integrated Rule Set (GitHub) e5a4bf7a1c38d3917af9af6ae6ee7c2038a1ad6450721694cc741d2410b05834 247 73
Execute Invoke-command on Remote Host frack113 Sigma Integrated Rule Set (GitHub) 61dae8b0a35fc9369e410406f226b559d6c9cb12837347724e7c4f9281869910 244 66
Outbound Network Connection To Public IP Via Winlogon Christopher Peacock @securepeacock, SCYTHE @scythe_io Sigma Integrated Rule Set (GitHub) 030a43138df8f268a688b4d336377f9ae24dca9828eec55a36d20824b6201ae9 244 0
Malicious PowerView PowerShell Commandlets Bhabesh Raj Sigma Integrated Rule Set (GitHub) c9a0fa3e3f43c8762528ddcca56a26673a3f37eb9077f2657884e8b847fb9ba8 238 91
HackTool - winPEAS Execution Georg Lauenstein (sure[secure]) Sigma Integrated Rule Set (GitHub) bdf9a7887267777773c9949f494e9799efef1be392343e309b16334f10b7bd66 236 36
Suspicious Add User to Remote Desktop Users Group Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 04ed3e23df49b07ebec11f2374d1ccce40bc71d867b1f8e29ea40b1b9e878ac3 236 29
Office product drops script at suspicious location Joe Security Joe Security Rule Set (GitHub) 67124e7349285a993dc331738db576ef56c6cb9724bf1cea7695561498a0fb35 234 32
Potential Persistence Via Powershell Search Order Hijacking - Task pH-T (Nextron Systems), Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 262548bdd551b5516ac8ba4e7c13b94c1164ea5766dc08877e95dcb2930be717 233 28
Potential Powershell ReverseShell Connection FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1b46ecd9aa9660208e7f7cbb3e4ad79d7fc469adb5c2c5dc81af712ebce9b80c 229 5
Execution of Powershell Script in Public Folder Max Altgelt (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2a39a26b108b99d76b325cabad67ed0b401f56104a863ba5158e0d3b889adc0d 228 41
PowerShell Get-Clipboard Cmdlet Via CLI Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 405f59430cd2ef58f1b3387a7fc5708e7dd6da1082e96fe6cb359c46daa4e056 226 45
Connection Initiated Via Certutil.EXE frack113, Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 80b6e3dc8d08ed8e3d4ef52e59af689b5f0215b08d92b3fce2310539c37b6b31 221 24
WMIC Remote Command Execution frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a72068f1e78b9563b352425ce5dd77aeaebcabfd4790a51a78cfd11d07e016a8 220 61
Suspicious WERMGR Process Patterns Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 656aa4cd1d10955cd1240f1e010961aaeabc323850ef28dcdecc9f334ffabd54 216 2
Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton Sigma Integrated Rule Set (GitHub) c654002dc2859e8a2f74ec87ad6ff4deaaf0f42f99603aa964e30ed1b1f01cc1 214 3
Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 396c0639fa0d38dbd62b1c1baa0fae0b008178fb81dfebaf1cc70a858c610190 214 86
Suspicious Mount-DiskImage frack113 Sigma Integrated Rule Set (GitHub) 8aa937de88282ab672836441edf50f760451a9112887ad0867753ab1b9fc5a4f 213 82
PowerShell Get Clipboard Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) 524490479b353ff8d877b617014d2cbb9a65d782e87caae21e923760fd2ed255 212 12
Uninstall Sysinternals Sysmon frack113 Sigma Integrated Rule Set (GitHub) 422a2d0c4ea81e0f14306603309b37fedea591abe396235a46638eedb3aa069a 212 2
New BITS Job Created Via PowerShell frack113 Sigma Integrated Rule Set (GitHub) cfec5ce24be18b8a5b6ee565ce5bb62f0aa614ff0754094a9cb6d113b97decbe 210 32
Suspicious Get Local Groups Information - PowerShell frack113 Sigma Integrated Rule Set (GitHub) 5ef6bc365a01e6ef90c1fc4f49006e9a8fe08e82c0a9ce80c10153915771547b 209 63
Suspicious PowerShell IEX Execution Patterns Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 9cede5a1c6382a5e4dd57d439fbcb57f927088bb5c3e1d4019c03562c3b4f9e5 207 8
Schedule binary from dotnet directory Joe Security Joe Security Rule Set (GitHub) 3c44dc412b67786cb131e2f723dbcfd035125eb3c04b66bc8baf4a7efe0ac581 204 0
Password Provided In Command Line Of Net.exe Tim Shelton (HAWK.IO) Sigma Integrated Rule Set (GitHub) 356834a41f1b8ed94c954435f27d64f970ba67b17ac5474ddb8357cfbb8de8d8 200 125
Glupteba malware detection Ariel Millahuel SOC Prime Threat Detection Marketplace f75c71f7be8a63670e0c606b582900d5a921916b46408da383beb0786cb5588f 198 0
Powershell Sensitive File Discovery frack113 Sigma Integrated Rule Set (GitHub) a4c59bdaf575107ce23b3c6e62c772eece15e1f61e51a236e70e3b95c48bf0a8 197 83
Suspicious FromBase64String Usage On Gzip Archive - Ps Script frack113 Sigma Integrated Rule Set (GitHub) 4c7e768ac31ad9f19aa32c2c10eb81eb9b6ae9d00129f474125bbfa6e8cf42ae 194 6
Register Jar In Run Key Joe Security Joe Security Rule Set (GitHub) a251b526d9024ed7f489fe7b9c2182080e067f2d35068063c5fd326283d9b1ba 191 0
TAINTEDSCRIBE - North Korean Trojan (Hidden Cobra) Ariel Millahuel SOC Prime Threat Detection Marketplace 97f6a22231c4c8e243c104bf226d8fd3875f335f00fc724750e6b691770fbc5a 190 115
Suspicious Shells Spawned by Java Andreas Hunkeler (@Karneades), Florian Roth Sigma Integrated Rule Set (GitHub) 0119b24f133d3f3142f84b35c30b7b1c417c4418f4d18098200208947ac5d041 188 46
Suspicious Connection to Remote Account frack113 Sigma Integrated Rule Set (GitHub) 71f9611fe50b2788a25e6b1c3fb3d035c5e04dfe73447ed185bfde157084fc72 184 59
Suspicious Start-Process PassThru frack113 Sigma Integrated Rule Set (GitHub) ce0c4f663ae2b2d04af92c5309f25b12035419b2fc2b6b9c161ab8c7830e3e52 180 53
Suspicious Schtasks Execution AppData Folder pH-T (Nextron Systems), Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) a09b70879bee26f128e93430015539e1b08567dd211bd7411ff6e600ed8d5f6b 179 29
Windows Hotfix Updates Reconnaissance Via Wmic.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 392fcdac1175baa32b5f9e8899fc0dcd24fb0c6c9390adfd646bd983451e2810 178 60
Netsh Allow Group Policy on Microsoft Defender Firewall frack113 Sigma Integrated Rule Set (GitHub) 631a83ba9daa9bb7ff02be55784068db1eeaa6935ea10809a1b8a8cf4ce2abd3 176 36
Socelars Malware (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 3b19facf348c1fe8db660733298928cb749e5dafe84ca3025f86b31129352e51 176 0
New Root or CA or AuthRoot Certificate to Store frack113 Sigma Integrated Rule Set (GitHub) 924e45f65b58d749e29df4b23b32058847bb1b15673ee93b0f9a0fc94359b19b 172 50
Remote Access Tool - RURAT Execution From Unusual Location Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) afdd67de130ff9c5fd2b18ca53480574ad0613d99edb23555df03caaf3cd774b 169 4
Suspicious Reg Add Open Command frack113 Sigma Integrated Rule Set (GitHub) 81f2a11aeadd681c5a2bbef5acdebbc356da424e56854a985e3c7eb0aded2fba 169 24
Modify Group Policy Settings - ScriptBlockLogging frack113 Sigma Integrated Rule Set (GitHub) 312aebbf9dd01274971762d360bf4d4870a7b7138c7cc149d33a9ba8df72b293 167 134
Change User Agents with WebRequest frack113 Sigma Integrated Rule Set (GitHub) 024c79f380ec5ead6ad1ccc07deb79a5a281021a443831220b62f700f9cfe3d5 163 32
Equation Editor Network Connection Max Altgelt (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0418449ae011d99278f952cf0feb26a91074c66d4f9fd7f162f91ae71262c40e 163 0
Procdump Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) c3f48ada664e96b916cbb2ed88c7f622ced143f3f9e2c039bd4516f81e1c1e4a 163 46
Wake-On-Lan Joe Security Joe Security Rule Set (GitHub) 7695d2af7ecb7540baa69cd6442745f2c3bdd83d21c904b7a09b2d560c123439 161 1
Brontok Trojan Ariel Millahuel SOC Prime Threat Detection Marketplace cc37d2c965977a035bf3e0e5adc5d1ad561e00eeecc80cde19feb01566a5fa61 160 0
Custom File Open Handler Executes PowerShell CD_R0M_ Sigma Integrated Rule Set (GitHub) e441ec55e6c79f736b37301c124beac89f633c990d45a175da5e134af80e91c6 160 7
PowerShell Script Dropped Via PowerShell.EXE frack113 Sigma Integrated Rule Set (GitHub) 7cf0b126730658e7c96da1ae0b63c1bb84154a239ca32c09909963038dfdcacf 159 47
Spora Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace 8a1a4505f9c0ee688392c73f69566ea35c3597f51241af4cb0ddb23057c95474 158 54
Suspicious Binary Writes Via AnyDesk Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) e63c082925104de00901f48dacf129e0a824bbe55c24ed90ba31d4e82c44f216 156 3
Base64 MZ Header In CommandLine Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 754e38d8c28a41c5d8fab94446819cba31374961a938b11c2766647ee5dda64c 152 20
Suspicious Sysmon as Execution Parent Florian Roth (Nextron Systems), Tim Shelton (fp werfault) Sigma Integrated Rule Set (GitHub) d76c7bc40bb395a6c2bc04fb2518aafb5044409e7d084eab35a00d6514635261 152 4
Potentially Suspicious GoogleUpdate Child Process Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 09412b30e562e2ce76bfde7b363c711eb8d82f225e5c33b969989c68181d63c4 151 18
Suspicious Scheduled Task Name As GUID Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ef39cf85c48f12af91e233355369755a0620b84ae2ffacce7f740a2b429531d1 149 1
Use of Remote.exe Christopher Peacock @SecurePeacock, SCYTHE @scythe_io Sigma Integrated Rule Set (GitHub) 598030e3b99748bb98e1a8c78a24023b80499c1526fd7b7719b5265a781b5402 149 51
Powershell LocalAccount Manipulation frack113 Sigma Integrated Rule Set (GitHub) b3caa02d87fceb141c3eb2e3715d1290976d6fdb56070c03362cd1fb6808f95d 148 47
Service Security Descriptor Tampering Via Sc.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 79b65bcfec60a228ced8c00aa4b8ff786ce017482ff46446e002fd9ea7bdbd00 146 98
Suspicious Obfuscated PowerShell Code Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) d8233999a8d30f6ee903ed094bc3c6fe4008a4be43a580311a9d379867e54538 146 0
Allow Service Access Using Security Descriptor Tampering Via Sc.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b2414a4d8972516423f6b63d79b5aaffd883551d5c9ee63294d6395da8f6a88b 145 97
Potential Persistence Via Microsoft Compatibility Appraiser Sreeman Sigma Integrated Rule Set (GitHub) 9fc475ae448749ce7b6c7760c27eaa960cebb3e61dd32ccdd1ffa55dc831eff2 145 92
Execution Of Non-Existing File Max Altgelt (Nextron Systems) Sigma Integrated Rule Set (GitHub) d2b7b95657238f7c078b9a6a17689a6184c1cf349ffb183b174ad2bd84681b08 144 3
Suspicious Parent Double Extension File Execution frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 00b61d3ad8d5b276f712ce687ea306dc5b640516a51e65fd05ec277c5b979611 144 6
Suspicious Windows Defender Registry Key Tampering Via Reg.EXE Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 624e5e799c1829ffc2199cdf5c7bc356cfb6da8137626ea544cdeaa8ee1d5c75 142 16
Possible Shim Database Persistence via sdbinst.exe Markus Neis Sigma Integrated Rule Set (GitHub) f228d8546016f76e5942e38208fa8a55735339d54ec3f56e63b2b9133b037a7c 141 54
Detect Virtualbox Driver Installation OR Starting Of VMs Janantha Marasinghe Sigma Integrated Rule Set (GitHub) 3cbde0faee76f7509cfde702c1c324a83ac88cb58f0e0f74b2682a9b60369b1e 140 108
Change Winevt Event Access Permission Via Registry frack113 Sigma Integrated Rule Set (GitHub) cf2984facb3af2703a88c05e420505bdaad5887f51fbf32167a0bf5abfcc28bc 139 20
Password Filter DLL Modification (Sysmon Behavior) Den Iuzvyk SOC Prime Threat Detection Marketplace cdcaebb2c5505eed7b1cf8cbaff3316fe62d1be1354a3d77d6e25bca67c753d6 139 76
WinDivert Driver Load Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b7ad594d8528d4ee4c0201b1a0852d42e9fc45976e984ed534f502290031e73a 139 24
Glupteba malware detection Ariel Millahuel SOC Prime Threat Detection Marketplace bdf42e1363c4a10d6bcc355bf1a7fd1cb54d15737372cbd542de0642fb26eb5b 136 0
Active Directory Computers Enumeration with Get-AdComputer frack113 Sigma Integrated Rule Set (GitHub) 37b6b961c7d630d66ed7dffc1fa2aae8811008a45bb73eadb3a78bd34a309c6b 135 70
Registry Dump of SAM Creds and Secrets frack113 Sigma Integrated Rule Set (GitHub) 3e6aec9c264981c1c738cf2bb29a907f7fc01867b91cf31a6d4ba46d35129230 135 21
Renamed Remote Utilities RAT (RURAT) Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a7d9d6781e1b1a5c65f3603e5aa6e2da23879bb16ea543f313a3d39f5d7949a8 135 6
Run Whoami as SYSTEM Teymur Kheirkhabarov, Florian Roth Sigma Integrated Rule Set (GitHub) 6af189a96d12cb443ce812c507e6b5326d70cc43e4f8a8b179fd45d5acee44bd 135 15
Suspicious Electron Application Child Processes Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2b1f50cff6a2e8639ee801986adca76402def027ff7616841139cbf2ab32e2f0 135 5
LSASS Process Memory Dump Files Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 532253e22b4c2a6410e693838434b30d959a9ebc0c04a0c861eeb9d593879009 134 5
Use Radmin Viewer Utility frack113 Sigma Integrated Rule Set (GitHub) 656b04cfc858a6fe2bf9dd2c3fc9b7beef1f30399b5817f0ad3a3862463f3783 134 1
Potential Arbitrary Command Execution Using Msdt.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 96f35178aca93f73311713ffbcade7354646a1facaf7c2fce0201147d4b4b5c0 133 3
Suspicious Creation with Colorcpl frack113 Sigma Integrated Rule Set (GitHub) 4a29af926d08877fafd396f3d616bf6c90064503754db0460c36b7c0dd99dbbc 133 0
Nltest.EXE Execution Arun Chauhan Sigma Integrated Rule Set (GitHub) 03ddbba7f8c72cbe2e0de21552f7f8f8a101955c12556c2bdb06219c0c968836 132 106
PUA - Netcat Suspicious Execution frack113, Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 358a95254318aa55ff499eb64277dff47957ac37c6370873673433bd55e77cf8 132 6
Process Monitor Driver Creation By Non-Sysinternals Binary Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b37461353268b5d8d8a4a0d3ec132773396606b1cc30106f1524817122d6ed5c 132 2
Suspicious Office Token Search Via CLI Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) d914cc65d6c2c6363da71b09c2053c49031ad5dd7762f7e08df307adf0892f8f 132 85
Clear PowerShell History - PowerShell Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 75df0b220ddaf477070a84227ba8e5430f5d4bbcfdfe1ad41ca6da62894c03ed 131 48
PUA - Process Hacker Driver Load Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b0d1bb8b34cc8998b5c64517d209194141fc1ade58d04a41bb18fd11be56edfc 131 0
PUA - Nimgrab Execution frack113 Sigma Integrated Rule Set (GitHub) 91bdf8703cfbad287d4568a09b53790b20efdead5896d044bccf4d80efab7970 129 1
PowerShell Remote Session Creation frack113 Sigma Integrated Rule Set (GitHub) 2edbd80b280a70f7636ca307800e2c61b25d829eca7c992125bf15782e91f688 129 77
Suspicious Download From Direct IP Via Bitsadmin Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 341222e0eba20f3fbf807a78669d6bd5ab3f6245589b85086cece2a9518283ca 129 23
Service Started/Stopped Via Wmic.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2e3d78c5e41e6de41cac9e7f1872a39a27300e4078b7a403b7c6d4f0ca96daba 127 37
Valak Behavior (Sysmon and Cmdline) Ariel Millahuel SOC Prime Threat Detection Marketplace 95388dc52565d97f01bb478463530fac5eb3a7197bbf17fccbd415b4a10a7055 127 92
New Remote Desktop Connection Initiated Via Mstsc.EXE frack113 Sigma Integrated Rule Set (GitHub) 257b13d5b7127756fd3872ae69c87afe430e3a8d7933cef87a19e05fc1658d70 126 38
Ramsay Malware Behavior Ariel Millahuel SOC Prime Threat Detection Marketplace 9a24e548df204cab86a6489b32a696d4f00e8933893536c518bc73e457c7f3a0 125 26
Vulnerable GIGABYTE Driver Load Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) e55e3c4025c22c464d209815a3411299c407e870eab4c5aa9ef362b217babade 125 3
Suspicious Extrac32 Execution frack113 Sigma Integrated Rule Set (GitHub) 22466d36eb86be8a2f88344d2ad8707352f79b184489f7bc14547bcc6c82b9c1 124 37
Vulnerable Dell BIOS Update Driver Load Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 10577bdb5cec4b94b7c1d5ddcb04041555da105e51850313907d995a05c68dee 124 79
Cmd Stream Redirection frack113 Sigma Integrated Rule Set (GitHub) 5f96e6b063aba9535c425e87ec855e1751d2d80c4099135c5b165fdf5bdbc5dd 123 24
Sysmon Configuration Error frack113 Sigma Integrated Rule Set (GitHub) 1cd7d30672aa97bf7ad987f1430427c4badcaf9359b200f28071d8b243834f07 123 8
Ryuk Ransomware Command Line Activity Vasiliy Burov Sigma Integrated Rule Set (GitHub) 1a2c4b1ffc8f65b4edf9020cfc1b6203854d13592539752717c107cd6357489f 122 7
IE Change Domain Zone frack113 Sigma Integrated Rule Set (GitHub) 1fd27acf648f3f73802533ae95c6e367de8eb32fe05e9d3b52913ec54401a5ca 121 14
Pass the Hash Activity 2 Dave Kennedy, Jeff Warren (method) / David Vassallo (rule) Sigma Integrated Rule Set (GitHub) 1e58f3b3a12845dad6be8befe76f8a0368d994ad5b069e672ac85d329bf336ed 120 1
Renamed Vmnat.exe Execution elhoim Sigma Integrated Rule Set (GitHub) a94bce44672eb0c1fb09c1cec60477d64a82eb540559b6577c4370d99fbb38ee 120 2
Schtasks From Suspicious Folders Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) afcc7387bfcf1a39c26eb91bc6b000368dba233e0d6405a1ed3dc8b8e436f18e 120 62
Execute Scriptlet from internet Via Regsvr32 Joe Security Joe Security Rule Set (GitHub) 1dfe86ef579952e7d83c7cab84e28986946f0660fc39224c8c471d29300a9885 119 0
HackTool - KrbRelayUp Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 914dd9cda73bd6f9573dbe9e9a1fdfc390464d03b96dd1d0ac163be4f300aff1 119 0
Suspicious Execution of Sc to Delete AV Services Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7f8a2779f372784da42ba3ea542708f81eb3d3784b03ec4d156d94dbf9190887 118 5
Suspicious Scripting in a WMI Consumer Florian Roth (Nextron Systems), Jonhnathan Ribeiro Sigma Integrated Rule Set (GitHub) aa9824d65395eec625b665851ca4456503a8111e058eab9487c34500b30ee31f 118 0
Malicious behaviour on user login (Microsoft Windows - c0d0s0 group behavior) Ariel Millahuel SOC Prime Threat Detection Marketplace 6b5efce8659d3a3b0a47725b973669cf5b071a5a685525042188d1670c7b2d82 117 9
PowerShell Hotfix Enumeration Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6715493a73f1ae31ce901cd48d6907aafa006d047fa07301d790319a8ff89813 117 36
PDQ Deploy Remote Adminstartion Tool Execution frack113 Sigma Integrated Rule Set (GitHub) d4455289124296f34e652e21b22099e2dbeb914261581fba842def35d85a6d92 116 108
Powershell Directory Enumeration frack113 Sigma Integrated Rule Set (GitHub) 7ce2e69836f6ffe690530adb579824031c46a1bee75e6f8dc9ec028fe59c5681 116 37
PsExec Service Execution Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6ce71be75a7090fc85bf7d41e3b363a7a4dce58549844db0c3e5d9d3b32a3e0e 116 14
Suspicious GPO Discovery With Get-GPO frack113 Sigma Integrated Rule Set (GitHub) 039172cd0dec626a7758aecf1db76255b8994bc61501f3a732abb90dc4e88560 116 38
Group Membership Reconnaissance Via Whoami.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4a8be8d477a2fbfadd8b27b53ce2a677c2b380814db4dedf6b47a8986fd6a69c 115 35
Classes Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) Sigma Integrated Rule Set (GitHub) acb1ec4240103205f334c8fe26431568a458950f7b86b59652440e1de4dc0449 113 38
Suspicious WebDav Client Execution Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) a2c6a7629f2d0d6b18c2ce3cddbee5522cbf1f3e6e8bcf0692c9e9393724ebaf 113 5
Fsutil Suspicious Invocation Ecco, E.M. Anhaus, oscd.community Sigma Integrated Rule Set (GitHub) 4b8a086b898ff9eb51b0489b98e2619d0c9fe2cd94e29325ec8a4c2250220b8e 111 23
PUA - Seatbelt Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) c38f8f9eadbe19471d3a16edc3057b1660a29e4b74e90fb2ff929df10c440a40 108 0
Persistence Via TypedPaths - CommandLine Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 3f78ff7ab6850cb34de03f0d9dd46de9ae0b96b1eeb140dcda89aabc2b7462a0 108 70
Compress Data and Lock With Password for Exfiltration With 7-ZIP frack113 Sigma Integrated Rule Set (GitHub) 227d06b807fcca01531502ab9bf3471b44a2e7db88394d5d03f7e07a11adc2e3 107 38
Potential Recon Activity Using DriverQuery.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) c887795f89a95940c21235ec7fff122040bc4c53b14e9a9ba700193f3a7db228 107 23
Remote PowerShell Session Host Process (WinRM) Roberto Rodriguez @Cyb3rWard0g Sigma Integrated Rule Set (GitHub) 9c155c1f00478f6dbc65e449bb4e1ee8d14ca444d40cbb52bd6406320ff20282 107 4
Suspicious File Download From File Sharing Domain Via Curl.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 09fa8f2c3e86f0fa6cc0876e94d77a20c07409a7154a61ef64a9a9a31a6d0049 107 22
Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE frack113 Sigma Integrated Rule Set (GitHub) 2291b42b147dc3089126be94f1bf34506fa822ea41904e0632fbe519dd3799a8 107 9
Disabled Windows Defender Eventlog Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) d8e5c8a4902824901a6b91baa07694ac8ea9e13689cebd342572a8b546bad5bc 106 2
Potential Suspicious Mofcomp Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 890b5bcddab8d41ea499e521d3dabfb62f66e175c7e5968407080b5c7a4f2aa8 106 64
Suspicious command execution Den Iuzvyk SOC Prime Threat Detection Marketplace 2493810bc5072dfb469437cfe4848e404b84ec5690670b79ab60bdf138d06139 106 0
Use of Pcalua For Execution Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community Sigma Integrated Rule Set (GitHub) 15a88fc8b846a774c398a2350aba9d8b4203f0cbb095abb4035f8f0e2c3ca2d5 105 3
Dism Remove Online Package frack113 Sigma Integrated Rule Set (GitHub) 835544e76c588c424d064ff04c81b644c875fe6499d31ecb188d5e3e59f4e72d 104 62
Suspicious Windows Update Agent Empty Cmdline Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) bfc362a89797a5fb7c7a15aee27b5c62127fff278db59f8dad27390ea34e3e1b 104 2
CreateMiniDump Hacktool Florian Roth Sigma Integrated Rule Set (GitHub) 8618cac2c2c1ec1d0e5b729eab2f28a1585a023728c5aaa9fa184b786b52a337 103 91
Kill multiple process Joe Security Joe Security Rule Set (GitHub) 868e81758b31ab7d5c37adbd3798dbc1effacb9eeaad44e5f6c5f41c409fb786 103 0
Potential Privilege Escalation To LOCAL SYSTEM Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7e17cc0d521f2433baf3ca36bf22ec2946bb387a555fee75aff1c992849a2578 103 18
Suspicious Remote Logon with Explicit Credentials oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton Sigma Integrated Rule Set (GitHub) 3f8d6ccb4e7555cba08aa888810b970a1a0a1f79d2a65b51f323b466542ae099 103 22
Security Privileges Enumeration Via Whoami.EXE Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) a9f6af870a74ed20bfbc784983dc7fa8aae28d336e2f79a8fa8b72c32d6a9fa0 102 35
Schedule REGSVR windows binary Joe Security Joe Security Rule Set (GitHub) c26e0207e75a84b37249afa14659448c57c0203d2220e8049b52775ab00538dc 101 1
Local Groups Reconnaissance Via Wmic.EXE frack113 Sigma Integrated Rule Set (GitHub) 386f2bc7492f0e981a3ff4d07a1e865250fb5f4de55f43a70e9ca3e91bd61e31 100 16
Modification Of Existing Services For Persistence Sreeman Sigma Integrated Rule Set (GitHub) 01b2124bf0e9019139ef617d15b67080610ffd3584d4fa0cf7c646bd3f11853b 100 43
Saefko RAT (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace e036021928c6159521691ec6551a2b2c660a651ff2c69171bb3db4fc676b2e17 99 0
Mavinject Inject DLL Into Running Process frack113, Florian Roth Sigma Integrated Rule Set (GitHub) 22a0144a5fa16f342a409df0a0b3ea1292a72b8e43c7c844bf06d68f5330fbf4 98 12
Potential Invoke-Mimikatz PowerShell Script Tim Rauch Sigma Integrated Rule Set (GitHub) eea4b79cda06d89aedf4a8bef48f151e04c00dcefd21c9b9c8dcb3d1457b226a 98 3
RDP Hijacking. RDP port changed. Den Iuzvyk SOC Prime Threat Detection Marketplace a917e763c89ea31922fe3dede8cc03c807a8b52f1a6f9eb0152291fea14c9416 98 9
SoreFang Malware (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace ef69867dec66e047e8894803bca76813e63b7a2f0d2bc6938e903f4accf5ae76 98 13
Suspicious New-PSDrive to Admin Share frack113 Sigma Integrated Rule Set (GitHub) 9b5bc7e38efe4f1b17f2a923ca4fbbd1303baf2899f224b7e40278aea60cfc64 97 30
Manipulation of User Computer or Group Security Principals Across AD frack113 Sigma Integrated Rule Set (GitHub) 080f39fb13644d7055303fabf2a4ace323c7ca1c92ffe33c37a94ed397cecedd 96 22
PUA - Fast Reverse Proxy (FRP) Execution frack113, Florian Roth Sigma Integrated Rule Set (GitHub) 2efa94e8cb6d016973ddbda2ca94b9db0d935bf31c7d4ede736b02e9d8ed25aa 96 1
Potential SocGholish Second Stage C2 DNS Query Dusty Miller Sigma Integrated Rule Set (GitHub) dc5cfaa0b6ff45a4864ee8be51bb9c91ef2f5d94c791e000efb78473258ad5ca 95 34
Winlogon Helper DLL Timur Zinniatullin, oscd.community Sigma Integrated Rule Set (GitHub) 071f1cce27ada52da178afa07fd609ed14967f9058b386611411962f4c56b665 95 36
Suspicious MSDT Parent Process Nextron Systems Sigma Integrated Rule Set (GitHub) 22974e8b759cb4125a56f2d16e37f8fa3020d7ae087aad754afe46386ea694e0 94 60
CoViper Malware Ariel Millahuel SOC Prime Threat Detection Marketplace c388ee7bf8678acd149ab04cc3dc6f3d923b3c2a7684f42de0c984c16de1c023 91 0
PUA - Advanced Port Scanner Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) fb482f5fd709d1ae001f190ee187e694e6ae6473e73b36e57e49b6908a1544c3 91 23
Created Files by Microsoft Sync Center elhoim Sigma Integrated Rule Set (GitHub) 90e6abcfde9453786cbe5eb7bd26a659703b1abfdec9d9441778c362dd6be63c 90 0
Ngrok Usage Florian Roth Sigma Integrated Rule Set (GitHub) c2e9abacba241e42d67c8d6ae1523533d3cb9769cf7315d401744e4266f91ffc 89 2
Suspicious PowerShell Invocations - Generic - PowerShell Module Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 3f1f1d4b840f1276832b328fab68511c28f6b7918e887279b03e6ea4735bef7d 88 3
Wusa Extracting Cab Files Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) fb45aeb08550a3b51cede01e424c60a35987f3cba89d7a2e08d5783975154bda 88 2
Registry Explorer Policy Modification frack113 Sigma Integrated Rule Set (GitHub) 767b140d3dd4f5df18244f9d3f3a79b259843572bf19ec0cea5f646e1f350c6f 87 0
Suspicious Invoke-WebRequest Execution With DirectIP Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) fda985869abff56461050c96a2f19a215ac6e3636ad0bb952561118e7989a6f5 86 12
Schedule VBS From Appdata Joe Security Joe Security Rule Set (GitHub) b16d941c7cf2248881a4d3da266d63655713389cafe7f2606ceb2b73fbace067 85 27
Wusa Extracting Cab Files From Suspicious Paths Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a3bdc335aeefb2b18bcd061bd2c29809fd034b8ebaf07e3dc6c94af5ff27b7f6 85 1
Add SafeBoot Keys Via Reg Utility Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) d0f01e5bb13e8ce7a78203105d6c6fd359d6150767bbbfa4de80faa61bbf2099 84 49
Root Certificate Installed - PowerShell oscd.community, @redcanary, Zach Stanford @svch0st Sigma Integrated Rule Set (GitHub) 0226d2c44e3b81cd4d31e7a8e55f6a3e3835b44939f721d5527b610071ebf40b 84 29
Suspicious Csi.exe Usage Konstantin Grishchenko, oscd.community Sigma Integrated Rule Set (GitHub) d478344c6645595e8636745bd5f3fcc68955c4777726aba466ad93f133453add 84 74
HackTool - SharpView Execution frack113 Sigma Integrated Rule Set (GitHub) fcd75941371f1c365f40d29f8498522d49065fb5ad8dc28a97b979603a6333ba 83 19
Powershell downloading file from url shortener site Joe Security Joe Security Rule Set (GitHub) f05d1fcd81ae053d34629eef4e2f082dd51622b2535713f47860649c3619d085 83 7
Suspicious Run Key from Download Florian Roth Sigma Integrated Rule Set (GitHub) 9bc88dec9bf37149ee55ca532e26602ba2ef11e86aa846ab6e0e461f12768b4c 82 0
Powershell launch regsvr32 Joe Security Joe Security Rule Set (GitHub) 59bdcb50161e15e215ceab8d779ba112cc633a8bde418fc87d450d05d5e78a78 81 3
Suspicious Workstation Locking via Rundll32 frack113 Sigma Integrated Rule Set (GitHub) 7077cb988db6f3b9dad54bcebad8cd59c0e62dd4b3f4f99d281d5e2b721c92bf 81 36
Blackbyte Ransomware Registry frack113 Sigma Integrated Rule Set (GitHub) afd6cd2469ae4639e99a5087deaf57ed3032b6c807da7fb2ff4ccb5eb58c3582 80 24
Clearing Windows Console History Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 30041403950554ea68cae8436931add62874ca499364d423bd04a8ccb124d999 80 27
Gpresult Display Group Policy Information frack113 Sigma Integrated Rule Set (GitHub) fdd0ef0378b9c7a67394fe97fcd782578201d6012af812d4f19483149704a866 79 31
Data Compressed - PowerShell Timur Zinniatullin, oscd.community Sigma Integrated Rule Set (GitHub) 1ea6262b9839c6f8aa32af503fb227a46a6f22b4778711e1a64f62b102e43a3e 78 33
Stop Windows Service Via PowerShell Stop-Service Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ad906661229e2ccee26f0fa5a23b6e080c651463299081f5b7a9bdeaa0b4f857 78 49
Netcat The Powershell Version - PowerShell Module frack113 Sigma Integrated Rule Set (GitHub) 53b2cd18791dffbcc1b31b49b26f0068d68f366bccb84e299cb79ddcccaf04ee 77 14
Potential Unquoted Service Path Reconnaissance Via Wmic.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) af6fba732192700a3e6067cd1013a488ce707b800e7633a9a7aa67b66fd57ec2 76 18
HackTool - SafetyKatz Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) e12ef0018b230868661eff7c8a74baf3f9a0ea5e0380b63b339c9218278f2057 73 0
PowerShell Credential Prompt John Lambert (idea), Florian Roth (rule) Sigma Integrated Rule Set (GitHub) 3673ff480d9b6da69d58b49cdbd4653446b39552e94717447405039cbb476c09 73 58
Schedule CERTUTIL windows binary Joe Security Joe Security Rule Set (GitHub) 5afe0a8f1f7fbc102dbeb6382c6e3e9702f05c872dee6c8309d805831b7dbbe2 73 0
Suspicious SSL Connection frack113 Sigma Integrated Rule Set (GitHub) 862ef09072518dbd7b5900500c4908a6284ee88f03b45ad0c0b20f3eb495f645 72 2
Potential DLL File Download Via PowerShell Invoke-WebRequest Florian Roth (Nextron Systems), Hieu Tran Sigma Integrated Rule Set (GitHub) abaf76ffe44f9fecc068eae92c53e3c5c4059258b40f40eafc69759c4661d667 71 21
UAC Bypass Tools Using ComputerDefaults Christian Burkard Sigma Integrated Rule Set (GitHub) f0a2a0d6b300aa9b5100a3fcd8fda2e183d4c22f4c748ebf056b724965c77639 71 0
Lokibot Detection Rule Ariel Millahuel SOC Prime Threat Detection Marketplace be942c1d0e5d410fdd49ca407572405db53d2cebec6927a56b86b1bf02d58983 70 0
PowerShell as a Service in Registry oscd.community, Natalia Shornikova Sigma Integrated Rule Set (GitHub) edeb7efda75eef0c30275df1148d63a2707963d2d9735d444a56536df2161a9e 70 1
PowerShell Create Local User @ROxPinTeddy Sigma Integrated Rule Set (GitHub) 065b49beca5cc42953a5612a7a5342fd18266f128a46b1a788c3f358f775a191 69 13
UAC Bypass Using Consent and Comctl32 - Process Christian Burkard Sigma Integrated Rule Set (GitHub) 45716a61474d8af25ba7318e0bcc946490ebaf1a0ea6c9a73d6fa3d572e58ae6 69 0
Windows Firewall Profile Disabled Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 489692e72dc0017d68cdd2188f43e162f46de9955dce51c32323345919b76b0e 69 15
PUA - Chisel Tunneling Tool Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2d130c854a78ff4630994ab2107c3a8b18cc55785432c30b32d253f1c219289a 68 0
Potentially Suspicious Regsvr32 HTTP IP Pattern Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) bb39752a4e439774cfd5a035f61c530f6c75b6d694b088178e6c155f78f5563d 68 0
Suspicious Microsoft OneNote Child Process Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea) Sigma Integrated Rule Set (GitHub) c2b8793bc5dc3f78c117608b17e59499e853d298dba8c03f56b4bbcd6d0c0f16 68 2
Suspicious Subsystem for Linux Bash Execution frack113 Sigma Integrated Rule Set (GitHub) dfbb51364e0deb6fd01f82a709f96be117d3f57ab06c8ac5718d944050856808 68 32
bitsadmin download and execute Joe Security Joe Security Rule Set (GitHub) 613bbc724cd17594b42667a8a5c4df0dff074adfb53a590f30f86743bc9b5b47 66 9
Scheduled Task Executing Powershell Encoded Payload from Registry @Kostastsale, @TheDFIRReport, slightly modified by pH-T Sigma Integrated Rule Set (GitHub) 5e1d76eef43af47ab79dcfbdbb15919232ca5646aef7cc201d8aa1191b2d67f4 65 0
DUNIHI Malware Ariel Millahuel SOC Prime Threat Detection Marketplace 4e8573bf949d0f277bff56a18b256181b950262693a43cfad1d247e035aec8b5 64 6
PsExec Tool Execution Thomas Patzke Sigma Integrated Rule Set (GitHub) 91a0bf780670902c97c569d46226158bdd49738004799b58cd63cc4c9d63ea55 64 3
Renamed Whoami Execution Florian Roth Sigma Integrated Rule Set (GitHub) f22be736aa7b4ddd0d6ce96e785fbb7adbcb991517763b72a098333df9610f14 63 2
Sysmon Configuration Modification frack113 Sigma Integrated Rule Set (GitHub) abdfcf563f91cb4c9b132baa9fd47b92a1e20294c09c02d7571f6fe5505f21d7 63 4
Fsutil Drive Enumeration Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' Sigma Integrated Rule Set (GitHub) 29dde5587c090e85fff677c9d2643ac2deba99c10c07e68a2e71407af9991486 62 24
Active Directory Group Enumeration With Get-AdGroup frack113 Sigma Integrated Rule Set (GitHub) 2363089b66b3f43001c4d30a1a0d4a7a622db02c1b8f68a3aa3be7c674be645f 61 34
NetNTLM Downgrade Attack Florian Roth, wagga Sigma Integrated Rule Set (GitHub) 5bced7470eb37ada15efd448b0a87615727c93557e648e225c3ee894c4b0ff08 61 29
7Zip Compressing Dump Files Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2194ceadd602ef4103a4715be6673214407021d3ff227fc3c520c0b9f51d9008 60 14
Delete Shadow Copy Via Powershell Joe Security Joe Security Rule Set (GitHub) d91fb994dcf44dbdd52950e6db5cdf99eba912926494deb2f92f3f2dbf232740 60 0
Office product drops executable at suspicious location Joe Security Joe Security Rule Set (GitHub) e0e4a0d55b1462c34c5c59221f7b9ae4b1625aa019f157ee2d60b21d286df9b5 60 0
Powershell Local Email Collection frack113 Sigma Integrated Rule Set (GitHub) 7a8c60222c9d0320cd13f6c3e00c4279e2961daa1560bebf35dfe8f0de4387a4 60 21
Suspicious Usage Of ShellExec_RunDLL Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 583f46a94081ca6e4e09e8191f1cc5fe8a0b11239ca27da18ef2ad12a48786b7 60 0
Cmstp Making Network Connection Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 3ee0f25c3d0b70476bccad0e57a0351cf8822d966bb558a9a49836dccbc9fe41 59 0
Delete All Scheduled Tasks Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 828f57327c792b3d7689543c6e7d2a87b71f15589b3c45366d0486473f86b2c1 59 3
File Download with Headless Browser Sreeman, Florian Roth Sigma Integrated Rule Set (GitHub) ab434fe480ee2a7a4567eef38af37753eb61b2fe82708db1056313a73ab0fac0 59 0
Nslookup PowerShell Download Cradle - ProcessCreation Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4755ccbf487b7c6fdaea8383493917837a2c86ff682d94f0f57d6b09349e0ddc 59 11
Powershell Timestomp frack113 Sigma Integrated Rule Set (GitHub) 5b5656801277c44d48ce3c9f4c8c393d55f8c0943d2c641d4968a012bd160f38 59 12
Obfuscated IP Via CLI Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) f9580d1ddc8753d3db3625ce853e150314b148df4d5279a69d3781cc031996c9 58 3
Suspicious GetTypeFromCLSID ShellExecute frack113 Sigma Integrated Rule Set (GitHub) 88dfd5a01f282c28ca7996397793be5f0d467366ce982def90143e1503ce84ad 57 0
Suspicious UltraVNC Execution Bhabesh Raj Sigma Integrated Rule Set (GitHub) a1005bb393ae9323ec95dc47f2348fea7262e1297f7d5c4e3c9b21b672fe467e 57 6
Unusual Child Process of dns.exe Tim Rauch Sigma Integrated Rule Set (GitHub) 1a409a5e5fee95e8f39012c0517568143fbf3ceac2b7bf87e81ab5eb50d8a6f9 56 14
WMIC Unquoted Services Path Lookup - PowerShell Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 420c9214a5aa1f50a2a85504e221b82931637956daecbfebfda630bb7c586f60 56 22
PUA - Rclone Execution Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group Sigma Integrated Rule Set (GitHub) d682d09d3c15912248f0f367d755338bbf871b25380f62525ba288c8bf90689e 55 33
Potential File Overwrite Via Sysinternals SDelete frack113 Sigma Integrated Rule Set (GitHub) c79aec25ed8a3cf07f3a43954d8dda5823dc140075f59c4e0cae1e5a3aee8072 55 9
Service StartupType Change Via PowerShell Set-Service Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a1369ba6b294845b80eaa8e066a683a25e6d2cd458f78a519a4aa7cea4b3fba1 55 45
Windows Defender Firewall Has Been Reset To Its Default Configuration frack113 Sigma Integrated Rule Set (GitHub) 00b96bc8d00802244409c54614fa31f98fe83547c5c43f4fd78e891c16f792e2 55 5
File Created with System Process Name Sander Wiebing Sigma Integrated Rule Set (GitHub) e13498937de9343f50c1e8f315ce602aa238e37e21f3dbb15d3403c25afafe3e 54 0
AADInternals PowerShell Cmdlets Execution - PsScript Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6d5567356ba0845cc4858843f110d6459b2d79576a5e0139dd7b2218b9f556e8 53 51
CrashControl CrashDump Disabled Tobias Michalski (Nextron Systems) Sigma Integrated Rule Set (GitHub) de530c1426a408ae40cc5a51e752587348efab456b3dcc12204b8c47a389eb83 53 1
Execute dll with txt extension from temp location Joe Security Joe Security Rule Set (GitHub) d8d01ff318fd81c3e8579c3f1dbc420f408beb4b67bc9be1a4bbdc759dce812a 52 2
LOLBAS wsl.exe (via cmdline) Den Iuzvyk SOC Prime Threat Detection Marketplace 55bd30964b2c80cd229425cd10828e1b7c89462547581eb0c4a907c55c87f0a6 52 0
Powershell download payload from hardcoded c2 list Joe Security Joe Security Rule Set (GitHub) 5c6454bb6fd16d176798dcb8685eabffc5295c27b7c2c471512f66343a885a24 52 7
Suspicious Hyper-V Cmdlets frack113 Sigma Integrated Rule Set (GitHub) 62e075896842e5b2072a0b1610a9995667d1edd599e21657ffe829aa871cc56d 52 38
Credential Acquisition via Registry Hive Dumping Tim Rauch Sigma Integrated Rule Set (GitHub) ba431c90356b826afe0f0c811dab13c54cbe689123f1167962b6bd8f23edbb25 51 1
NetWire Joe Security Joe Security Rule Set (GitHub) f1f1e749b0e91b9e079a2fb92be3e128291eda84c02064028a1d037f450f864c 51 0
Suspicious Execution of Shutdown to Log Out frack113 Sigma Integrated Rule Set (GitHub) 3970bd95a88d05869fab2e89b8b02fda81406f83ecd9e197b1249a06a3f8eb62 51 14
Registry Disable System Restore frack113 Sigma Integrated Rule Set (GitHub) 39ac4b0484423463b1d746fc5446062ea1299bec08a2dd2bc058efcd9c06f2e0 50 8
Suspicious Unblock-File frack113 Sigma Integrated Rule Set (GitHub) 71c164abf414b20e2e799e16de648202a68a8205db9f81d0dd28495ba9ce1ce7 50 20
Mshtml DLL RunHTMLApplication Abuse Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 81da16a2acd4f2ead3a5744748fade75b7d63b7ec6498731e5106bf2d48265b6 49 3
PUA - NPS Tunneling Tool Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 9b4f9dd1295bf299dba100d2a75a3f7188ba51a90dda3e0bf371708f55a40507 49 3
Possible Process Enumeration (Sysmon/Windows Logs). Roman Ranskyi SOC Prime Threat Detection Marketplace 1b3947466060dff55a89da9e24ec34cca8df9c4dbf704a3b3a9120eb3df96e3a 49 25
Renamed PsExec Service Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 80d7ce564675dedfdbf8c13540cced6343bb1708c20306349a108b369920509a 49 9
Windows Firewall Disabled via PowerShell Tim Rauch Sigma Integrated Rule Set (GitHub) a0a3572f7e566559cfcfc8970108fc01b0ad35103e76b5359955ed4c7d4ac60e 49 3
Suspicious Get Information for SMB Share frack113 Sigma Integrated Rule Set (GitHub) 78af9841681cc3ae06f2b42827aa5b5f54e7e1cd67967a87cc99a5e7d4cfe18d 48 30
UAC Bypass Using IDiagnostic Profile - File Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 31d928b4b0adc82d81a6490585e87953d808c285ed5d3b25bbe1a461234e37f6 48 0
Query to Ammyy Remote Access Software Domain frack113 Sigma Integrated Rule Set (GitHub) 5d5ea99f7c040a6706db9d67e16b384eebe02132d410d1f9edc4131c8045469f 47 0
Replace.exe Usage frack113 Sigma Integrated Rule Set (GitHub) 067314a472e516edad2a871cb6ccc07c4490f9e36622e820cb8d7ff88b0f9fd5 47 25
Request A Single Ticket via PowerShell frack113 Sigma Integrated Rule Set (GitHub) 7b7092f37f648c00a538947e2cb178b5c50e31e552b8bff8251ffaf4d4e49a68 47 6
Suspicious Whoami.EXE Execution From Privileged Process Florian Roth (Nextron Systems), Teymur Kheirkhabarov Sigma Integrated Rule Set (GitHub) f3863a9acecacb856747d09b6541ff99d6245853902c8785a4d4985fde12bf22 46 8
WSL Child Process Anomaly Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 39a511112093810c2b82b35c4c8575b0f249dc7b9e8631fe75c6481c5c7e2658 46 0
Rar Usage with Password and Compression Level @ROxPinTeddy Sigma Integrated Rule Set (GitHub) 02930d34935e0616b2711790272271498e2a5a03bcf66372f0985d2e89cee1af 45 0
Office Applications Spawning Wmi Cli Alternate Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) Sigma Integrated Rule Set (GitHub) 4e7dcf0bdb7133795dc5f59a3dce3f19d7a78ad417e3b41e7dea915b76bdfd5d 44 0
Powershell create lnk in startup Joe Security Joe Security Rule Set (GitHub) fd5c77e4a6ca9deb325d7525e8219d80cc70e6bbf765e2d75ab4f30f6be7cc9a 44 9
Regsvr32 DLL Execution With Suspicious File Extension Florian Roth (Nextron Systems), frack113 Sigma Integrated Rule Set (GitHub) f64c98dfb55189f8f65b8dc8c77a020a4c869933083e1b3ef087e4dba264e864 43 0
Rundll32 UNC Path Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) e3e74fa33e688408b75baa0f3988d754504296233bf1904baa587d8b17e3c4f8 43 7
Communication To Mega.nz Florian Roth Sigma Integrated Rule Set (GitHub) f13e798225ef1d32c44d8511ab7c95a58e93d46b8c833bfb47f55eb5d9bb69e2 42 18
NjRat Detection Rule Ariel Millahuel SOC Prime Threat Detection Marketplace 44649563045e4b39ea5ec24c20ca7aa44cde80384aa9b3de04a8bb30862d934e 41 0
Use of FSharp Interpreters Christopher Peacock @SecurePeacock, SCYTHE @scythe_io Sigma Integrated Rule Set (GitHub) ab87de6df917b48304e512d979d27ae1a0c4b3b63106217afe10aa1059195e7e 41 18
Automated Collection Command Prompt frack113 Sigma Integrated Rule Set (GitHub) 511fcd38b1cd4057f3b3568707032548bac72899a4b3c932f3614c6d89d417bd 40 9
Bad Opsec Powershell Code Artifacts ok @securonix invrep_de, oscd.community Sigma Integrated Rule Set (GitHub) c536e387a5fd3183e46be3c9a492ab73e5ade9b45179341ea25fcfe383cee92d 40 2
Changing RDP Port to Non Standard Number frack113 Sigma Integrated Rule Set (GitHub) dc0c536bf76ee17ec594024c9b331e97f259d945e0c52ca0f468b6d323906d8b 40 8
Powershell Inline Execution From A File frack113 Sigma Integrated Rule Set (GitHub) cbf84e925032ab806dad545cb848e4318b275d75f3a40c8cb9664e0172444779 40 4
Suspicious Execution of InstallUtil Without Log frack113 Sigma Integrated Rule Set (GitHub) f87a49b6d1417f2f418f84c8a8b3d23964133dc7c1b7e18b02a1d2b8deaba8a0 40 21
Suspicious Hacktool Execution - PE Metadata Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8b5d84914e5e7715fc7effca7b1d2ad513d7fee3b5afb0e324a42c2d3103cd49 40 0
Cscript/Wscript Uncommon Script Extension Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1168f1f8b0347e370d4f049726cef5752fdd4db77ea2e8f33d611739f3257b7c 39 5
HackTool - Certify Execution pH-T (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1feb34fc6cb1b6cc6e7f79cf3437684366634b5dbbdfd6e053e0f07cdecdd327 39 11
Qealler Detection Rule Ariel Millahuel SOC Prime Threat Detection Marketplace c8b5691bd0f6cb0670869259285160320643f60ba111d9c93b81c6bc5e088037 39 13
Suspicious Get Local Groups Information frack113 Sigma Integrated Rule Set (GitHub) 098feee88c8a66070a3ec1f3c56be0ede46676cee2b799ba6d309360ce563ba7 39 15
Sage Ransomware (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 71d449cc65c29ab2e4fee214298f208b87225361a0f65f0f2e73bfd7875b1ef7 38 0
Disable Administrative Share Creation at Startup frack113 Sigma Integrated Rule Set (GitHub) 529a42d20f26a0247c669d877e7a0260adfafaaf2627c9f33ad4d8b571e8d20a 37 0
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Daniel Bohannon (@Mandiant/@FireEye), oscd.community Sigma Integrated Rule Set (GitHub) 30c408d940a17c92bda9a7a3661343cb4849cb5206311af462dfa18993f9f0c7 37 0
Potential Homoglyph Attack Using Lookalike Characters in Filename Micah Babinski, @micahbabinski Sigma Integrated Rule Set (GitHub) f311f45a27e981db5c1aff6b1880679af30210f2426d026f442a886afec6ac05 37 1
Query to LogMeIn Remote Access Software Domain frack113 Sigma Integrated Rule Set (GitHub) 44c5e7c7bdc6965af0ddf07703f708dcda09e583e4c473d7b247067132a8704c 37 18
Suspicious OfflineScannerShell.exe Execution From Another Folder frack113 Sigma Integrated Rule Set (GitHub) 9c3168b8b2ff965a5cf3ed36f4ce722df9e09021fbbc44075916c77d2132bc8f 37 4
HackTool - SharpUp PrivEsc Tool Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b9df87571912714cc7a36f7a1ca3fdd9625d8ccc37a12862bdb202fba7c22869 36 1
Netsh Port or Application Allowed Markus Neis, Sander Wiebing Sigma Integrated Rule Set (GitHub) 7b1f3cd9ca9b55feb5fdd5c8e1821348f2d78745282b41055af44f88df612112 36 2
Suspicious Rundll32 Script in CommandLine frack113, Zaw Min Htun (ZETA) Sigma Integrated Rule Set (GitHub) ee7fc4aa3dcf06ddc37a9dc24c2fe5a2d394cc53d560d2214a8f5455eedb6291 36 3
Testing Usage of Uncommonly Used Port frack113 Sigma Integrated Rule Set (GitHub) 45fddb986c296e8a5cc65d9e7d93b5666adb505378e865f501b8a9946a4cc8fe 36 11
New DLL Added to AppInit_DLLs Registry Key Ilyas Ochkov, oscd.community, Tim Shelton Sigma Integrated Rule Set (GitHub) 6f134f381913ef9221138f615280ca41e252e823168d7d580ab6e713e10beca2 35 0
PowerShell Base64 Encoded WMI Classes Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1d5a6acf8297313dfc47ed41e174ccbdcf2ac0a174e059a599f880ad761dfe89 35 1
Script Event Consumer Spawning Process Sittikorn S Sigma Integrated Rule Set (GitHub) 99d3f28b790cc9edbf77b5fddd446d2ec05f85ee550310a2a3863e3171a9bd54 35 0
Suspicious ScreenSave Change by Reg.exe frack113 Sigma Integrated Rule Set (GitHub) a87fe4afa527fd01cbb17ee26918bbf87dacf9b429f97ede32b8831532ec4d59 35 7
PsExec Tool Execution Thomas Patzke Sigma Integrated Rule Set (GitHub) 2638e4eb6733f565f75759fc7f3c7b2ce2d92f7a231f14859cad11aa82b929e9 34 1
WMI Execution Via Office Process Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) Sigma Integrated Rule Set (GitHub) 58a51088691ea6b0bb320e61f961a96216f54913353095e97a5b5c6e94ce74fa 33 0
HackTool - SharpChisel Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 23eb4319cc6c1995a632adb591fa9b089822a7ef6061519fdc43832fac6bfb69 32 14
Potential AMSI COM Server Hijacking Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 738acd800035a9376f9c5ed9937f647fdc87ccefc57ccd0fab07a3fc108fa255 32 0
Suspicious Key Manager Access Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) c7e5c778b0f4b6273f393fd9e32d97fe4145b2b1b3a8de87a9e02cd66f9c4383 32 32
Process Explorer Driver Creation By Non-Sysinternals Binary Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 99c7a3c2ca557dc3ff22980e34539383c6be02b29d75aed44570e5292dfb47cc 31 0
Scheduled Task WScript VBScript Andreas Hunkeler (@Karneades) Sigma Integrated Rule Set (GitHub) 58bd50bf4c2f3dee57aac7f6c2f5671bd781f59b9e71a8c191de01ef8cf53de0 31 0
ScreenConnect Temporary Installation Artefact frack113 Sigma Integrated Rule Set (GitHub) cbf91c8dea063cd256525b4053b25b4afe0528021d02d0b0d380321ebc5c9a7b 31 14
Suspicious File Download From File Sharing Websites Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 81df8b624648173975c91181526939696ab64698fa03b22522b81744d5cc10bf 30 30
Suspicious Powercfg Execution To Change Lock Screen Timeout frack113 Sigma Integrated Rule Set (GitHub) 82b3e64b1ffbd6e42b9c816c24dd39f029501b0a8e06e337701dfc101f978f0d 30 8
Monitoring For Persistence Via BITS Sreeman Sigma Integrated Rule Set (GitHub) f9b2dcdba235a40678fcd4411540f98adc4caca054a247054eba6b040b37243e 29 1
Suspicious Get Information for SMB Share - PowerShell Module frack113 Sigma Integrated Rule Set (GitHub) 8f4c645fe661dc0ebdeff288f1761a20acf930f02e4c51bc48e6bafc245c1006 28 21
VBScript Payload Stored in Registry Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) dc67cd797236fcf12f7a5e58c0d5fc50318e74f58c9d17e6bf7905e87c5a9c21 28 0
AnyDesk Silent Installation Ján Trenčanský Sigma Integrated Rule Set (GitHub) 8c68ebe0db23e4f70c3621d56e4ce298dcf255e61288342e6b4760dd0af96c85 27 0
Netsh Helper DLL Den Iuzvyk SOC Prime Threat Detection Marketplace 67f08eeb3f74c7dcf4b8985150f3df56b390aec0e1d3edb45a75c360f73c0134 27 20
Network Communication With Crypto Mining Pool Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5f96c8ad390b56fba16309ec092ccde0290c7896bd2bfd7c49b738c77dc36bde 27 0
Renamed Msdt.EXE Execution pH-T (Nextron Systems) Sigma Integrated Rule Set (GitHub) 547b4f9fe578b9d949c01be391e76decb1e95b632ac54aac474eb858c0f1f5b3 27 1
Suspicious Eventlog Clear Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a049127770d6c92e914c0806277852c3b69f5e9cc86ca0f687e50e60c12d8868 27 9
Suspicious Nmap Execution frack113 Sigma Integrated Rule Set (GitHub) 4225d7662d0eec6d20893e2e9f75328a37cc7a24ba7f1932e3c993cf482e46d5 27 13
New Generic Credentials Added Via Cmdkey.EXE frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b71ea6893f3e92a9d7d7ffb0de6a327a1a755b01c115465f079fa8cce81013d5 26 12
PowerShell ICMP Exfiltration Bartlomiej Czyz @bczyz1, oscd.community Sigma Integrated Rule Set (GitHub) 504cd1bcea14d3f138e4253108d6978349e99adf5984333e0d5d78865dd1a481 26 21
Suspicious File Downloaded From Direct IP Via Certutil.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) bba68f86faec56fff7827bdc8b4bb20cf69d80ccf8c956daadc7bd68839665ed 26 1
Taskmgr as LOCAL_SYSTEM Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1d1e002f037bffd9b91901474efbd1036622a788849898b81570d37d3ba34513 26 0
Remote Access Tool - ScreenConnect Backstage Mode Anomaly Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) d5b76fa3cab42361e745d7a1c59d40820a1cab108d30fd2d9fef6c3aade085b4 25 5
Potential Suspicious Windows Feature Enabled frack113 Sigma Integrated Rule Set (GitHub) cdcec55ed90affa3868db81d308f5a76204c51b717f1cd5ba3c9feee5ce926ec 24 17
PsExec Service Child Process Execution as LOCAL SYSTEM Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) f568e89bc8387361d0bc168c8a46059280d10de1ecffdc0e99533b7b290401af 24 2
Run from a Zip File frack113 Sigma Integrated Rule Set (GitHub) 5cf936f9d2feaada449504fe406fc44b2ee6f674a4433863662f135096618431 24 6
SQLite Chromium Profile Data DB Access TropChaud Sigma Integrated Rule Set (GitHub) bfe106c088dbc3f0a1e36442a1cffcf01752c0edc0253863c36640731be1e240 24 0
Suspicious Sigverif Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 56643225c1e622a648289fb75934bcf15ac76a8bdb22a911e9f06d61e7db7077 24 0
Sysinternals PsService Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 647bce287d915da46bf01fa65706878514260f75bea7273d4c5eee115ac0b031 24 6
Enable Windows Remote Management frack113 Sigma Integrated Rule Set (GitHub) 7f8fcfb39f92617ac21dbc51e4c66b0663520cef30300bc28dd89572f6574253 23 4
LSASS Memory Dump File Creation Teymur Kheirkhabarov, oscd.community Sigma Integrated Rule Set (GitHub) b0e4aa7c882545a1b46a09c373f3abc99ee9ad92c5cb99e1b8764356501b3059 23 0
NTFS Alternate Data Stream Sami Ruohonen Sigma Integrated Rule Set (GitHub) 535b54123e1e90e346eb48779d2bdc19508f9a3aef7f7cf48bddbbd43f953478 23 9
Service ImagePath Change with Reg.exe frack113 Sigma Integrated Rule Set (GitHub) 3a4567bd735e7ae20a9b3bf3921ad6e9acdec3b957cdbdb4eebfd6feed5670d3 23 5
Suspicious PowerShell Invocations - Generic Florian Roth (rule) Sigma Integrated Rule Set (GitHub) d0b30db49f680fc7c412d09dc2099e655eb262fd5ef5b03fb5304663ab79137a 23 3
DllUnregisterServer Function Call Via Msiexec.EXE frack113 Sigma Integrated Rule Set (GitHub) 2e95aeac423a48e1ef8f7275c2f49a8fe3fe9a7e83b9db9f856d1f2d3edb1a10 22 11
REGISTER_APP.VBS Proxy Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2d663b64fac0627c9d7a810d3e1e3c10a5321e0d9f0ff82bf3f9ade891ad15e9 22 10
Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 9c7804b6bfb1ca0e93a863185af19f14432fde4b07d2ac68fb1a44032467c98a 22 9
Suspicious WMIC Execution Via Office Process Vadim Khrykov, Cyb3rEng Sigma Integrated Rule Set (GitHub) 651f584b690a75e06a7e634cec7a11b17555debdbfffe3f765a988b80ffeacbf 22 0
Use of TTDInject.exe frack113 Sigma Integrated Rule Set (GitHub) ce2c1d30a6032c8bf814508ea0142036631b7b690cff7d809dfac541ddf4c01a 22 15
Access to Browser Login Data frack113 Sigma Integrated Rule Set (GitHub) d3129d20de2d7890e0b90366b7a86a16ce9ca2c330c67005b72bfbd4105aa6d8 21 5
Change Outlook Security Setting in Registry frack113 Sigma Integrated Rule Set (GitHub) ad1841979098a6b76c24ea780263b9da230373dc9a0d48d841538ec02cecb447 21 0
HackTool - KrbRelay Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 03e06bc61499c16b25ec22e9681f9e9633dc812e30ec543e7a5105ecbf3220f4 21 0
HackTool - PowerTool Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 24223dcd765ae37fd40f3af1054e55119422246e8933dc29b1debbd1cfc67d00 21 0
New Shim Database Created in the Default Directory frack113 Sigma Integrated Rule Set (GitHub) c028d3fbfe3db756b5129f320616cde63b9929b02e91fb76c1b12fb726eafb71 21 11
Potential Renamed Rundll32 Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6473e93a221b66c30b661dabfde02604f395c46f8e019efe0b3db46cd7dc03e7 21 3
Potential Snatch Ransomware Activity Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) d48381be3227e49cd9d42fdf472184d9e4db1b4fbe72ee6048739f0af5913e9f 21 1
Powershell XML Execute Command frack113 Sigma Integrated Rule Set (GitHub) b8a4fbd826f854871ab62dc0ad49ae048575057a6293a2c8109f04b8662a8162 21 14
Suspicious Cobalt Strike DNS Beaconing Florian Roth Sigma Integrated Rule Set (GitHub) b55c667fef3a16ff308f801e44896c36f9754c98321c12bc516a13477130f4fd 21 0
ImagingDevices Unusual Parent/Child Processes Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 95fe2608b1dadcb60e16a7627b715b848f056f452fc93639201d185bd1c91a25 20 0
Mstsc.EXE Execution With Local RDP File Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock Sigma Integrated Rule Set (GitHub) 4476f97756130311a92e0412033fd3fdacf6c62d0eb95901dcab7519a0236740 20 10
Set TimeProviders DllName frack113 Sigma Integrated Rule Set (GitHub) 4644dba35bcca22688aa47798c36c6f13bf03864da995c52366df9c473e02450 20 0
Vulnerable Lenovo Driver Load Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b05e5f1c810aad917ec95aa917177c7a3075f44d37d2ed2b21e953dc69c99eae 20 0
AD Groups Or Users Enumeration Using PowerShell - ScriptBlock frack113 Sigma Integrated Rule Set (GitHub) 1bccdc208f191ae10d0fa42675f08a37e14e4f39ff07da3fc0c15510993f6e9c 19 2
Defrag Deactivation Florian Roth, Bartlomiej Czyz (@bczyz1) Sigma Integrated Rule Set (GitHub) 8428866bf6cbf8ea04c18dc9a8ebd493a8a882a9b706b557f71d376cd69fda79 19 6
Office Macro File Creation From Suspicious Process frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8f4f518c1c5f1faa9ad744166d845016dc78c82b4c7f38011fa687462b1afa18 19 1
Powershell MsXml COM Object frack113, MatilJ Sigma Integrated Rule Set (GitHub) 38c7f03136a955c75f92f48bde1f9544a6d996418d05fae60f1efc916f0ea88a 19 2
UAC Bypass WSReset Christian Burkard Sigma Integrated Rule Set (GitHub) 03fc63d53dd6f6eeb7fef5848db2e4cd11fc7177c187c398320bb3934b751d87 19 8
Hiloti Trojan Ariel Millahuel SOC Prime Threat Detection Marketplace f8a63428721bcc8ad6de541a48e0a1f21d8e73a4f114603bcb7e9066042c502c 18 15
Malicious behaviour on user login (Microsoft Windows - c0d0s0 group behavior) Ariel Millahuel SOC Prime Threat Detection Marketplace a4380ca308017f92e049147ec46e562ab46b9642b1952944647bb9bf85e4c95d 18 0
Mshta Spawning Windows Shell Florian Roth Sigma Integrated Rule Set (GitHub) 464455b93d1b76acf868754cca0e609af558267671ad641714ca27a923efb9ba 18 0
Potential Homoglyph Attack Using Lookalike Characters Micah Babinski, @micahbabinski Sigma Integrated Rule Set (GitHub) a2dffac0fcddbca9dddd5b57f9a9841ae8948007b05988ff3ba4b101da5fcc45 18 4
Remote CHM File Download/Execution Via HH.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5544bfe63d743fba858c3a75c7dd46a76520367a1278b1fe3d5c5609dc42fc4a 18 10
Remove Account From Domain Admin Group frack113 Sigma Integrated Rule Set (GitHub) 2b323eb1de293c4dbf91041f23c3507c4aaf71c4bc36b04ccb8fc5731995a398 18 2
Activate Suppression of Windows Security Center Notifications frack113 Sigma Integrated Rule Set (GitHub) 3729c929acbee7cae1291d3e460c3e673684211679e8a94cbd1297192aafdd06 17 1
Cscript/Wscript Suspicious Child Process Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1a5f4db4505797dbb968725fb6bf6b357968abf23fbcc6b92acd08a6214e3e4e 17 10
DNS Query for Ufile.io Upload Domain - Sysmon yatinwad and TheDFIRReport Sigma Integrated Rule Set (GitHub) 948e697920a298ec6250c9c3157174bb53f162acfe6435ef673ac34c61021f2c 17 8
Deleted Data Overwritten Via Cipher.EXE frack113 Sigma Integrated Rule Set (GitHub) d3e54936275abafa46d4b77891ec8f7fe6dd55d420fec613476144dd5d26f1a7 17 3
Disable of ETW Trace @neu5ron, Florian Roth, Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) d85308a28516fa075ee74a4ffd11aea2be1f15add944422ade0969027648a3fa 17 1
Discover Private Keys frack113 Sigma Integrated Rule Set (GitHub) 2a86897d4c284135c8e21105377149da6e12d9f57525bfdccdfb55cf4b3425fc 17 1
Discovery of a System Time E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community Sigma Integrated Rule Set (GitHub) 18ed38c04ceafb2aa0b9dcb106310ce76cb1473a4109b6a489663f5c250bd2a6 17 1
HackTool - Inveigh Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2bfe4c7c4dfa23e7dbcb187f2cbe57e783da76cc66114dacec73520935d9bf78 17 3
Hacktool Download Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b995506076579a8c1f5b600eca139df5fd016994aab5c3865a4f7f7cd0dc3931 17 0
Potential Persistence Via Scrobj.dll COM Hijacking frack113 Sigma Integrated Rule Set (GitHub) 9d0ab0b7154dbe461f0e116296f545e8955e0c85892bcff2de2b680e29ba2af3 17 12
PowerShell AMSI Bypass Pattern @Kostastsale Sigma Integrated Rule Set (GitHub) a7940883a0164e9f8e04f1c88ad85ebf44ddd11d7a06aa93f7c42c3111a33d01 17 0
Root Certificate Installed oscd.community, @redcanary, Zach Stanford @svch0st Sigma Integrated Rule Set (GitHub) 80e21a1883c10ba77d6f4a1b0b6903e9ba65d57e1874d2cd81b121f762481c64 17 1
Service Execution Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 3edfb66bbbe5056c7df0064ed6164a68632d8d476ab015091e0e33f5159d9052 17 1
WMIC launch script from xsl file Joe Security Joe Security Rule Set (GitHub) cc58aa96e11657d0df0ee460019755b19a5929a979fdadd56569d6b35c03fdba 17 0
Bazar Loader Detection (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 6e25203533b4bcc3b9ce1805fbf4ec196d2fd6139dcf17880caf0e2952c3ebfe 16 1
CertReq.exe Lolbin Den Iuzvyk SOC Prime Threat Detection Marketplace bc9b5e9188d37350da57ebc0b5b9ccc8a2ee828e827a15edb38904b64317a291 16 3
New Service Creation Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 0e01e0ac3c9d7b292996c00466851ff64ca8e3aabb384b096bddba88aa769464 16 0
PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE frack113 Sigma Integrated Rule Set (GitHub) 2abd81b6396ea687490b2d703ce07c1abd135ba398d89ab839c66e6a43f713f0 16 9
Raccine Uninstall Florian Roth Sigma Integrated Rule Set (GitHub) ce4fb10349cd95756b2f98a27b259d71c99ec9e0323815f2e916737fcbd1d4ba 16 0
Suspicious Shells Spawn by Java Utility Keytool Andreas Hunkeler (@Karneades) Sigma Integrated Rule Set (GitHub) b7e93e0475f0c46a1c6bfd3f1f401e0a34bb9c8d73e2308101ed1368b5189de0 16 0
User Discovery And Export Via Get-ADUser Cmdlet - PowerShell Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0caa50babf4475fc8fa04167d47d87d1e0d04294b8534c19e180e2c9dde0012e 16 15
A Member Was Removed From a Security-Enabled Global Group Alexandr Yampolskyi, SOC Prime Sigma Integrated Rule Set (GitHub) 1d6eea9825839d71a79ed93bd0f383b8826d8a1ca80c0d063e7f43e648b2d67c 15 6
Disable-WindowsOptionalFeature Command PowerShell frack113 Sigma Integrated Rule Set (GitHub) 3becb58829ad8f8f58a8716e0deb90627269a650475809ba1704d3facae71a69 15 6
Fodhelper UAC Bypass Joe Security Joe Security Rule Set (GitHub) c5017f04443b7c88d4fe320734d24f38108f67663239bc00f5c164081e9b5e0a 15 4
Microsoft Workflow Compiler Nik Seetharaman, frack113 Sigma Integrated Rule Set (GitHub) 360867571c752aa9ec6da95a6c3db7a37dda60e6627df594f31f89692b8063d0 15 8
Office Security Settings Changed Trent Liffick (@tliffick) Sigma Integrated Rule Set (GitHub) 7210b6208abd6826bfdb8d8666ae792549157fe8070e355cad577fd8f9ef6499 15 0
Password Cracking with Hashcat frack113 Sigma Integrated Rule Set (GitHub) 9621c87be63b1ea5e038a8d2759bc0bbe6a5ee4f322b9763fdc06f159d781698 15 6
Potential Attachment Manager Settings Associations Tamper Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) beea9838b890b61ccab05d6321880b112538b784e3caf82454293c4c087caadb 15 1
Suspicious Auditpol Usage Janantha Marasinghe (https://github.com/blueteam0ps) Sigma Integrated Rule Set (GitHub) 33a4a18ae1a3802586c239be79075294541594b5b603c230af39618577e03fae 15 4
WinSxS Executable File Creation By Non-System Process Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b98d05d95e8a26eef6f1edf143064928002638d3a45c7a007a16c7b3bb5a9cd7 15 0
HackTool - Htran/NATBypass Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) becb1782f61cc6f06558e9bdda4cbc531606bfb0b4b92c0667d6dbde99a67b77 14 0
Lolbin Ssh.exe Use As Proxy frack113, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 2055166f6099144ebb73ce53abe7aadcd74447fb30806756d8fe22ac92352f1d 14 13
PUA - DefenderCheck Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) d29242190c6dffd993895588fbb9a2918a3e0e636e3cd6560339d9ae469f3bdf 14 0
PowerShell ShellCode David Ledbetter (shellcode), Florian Roth (rule) Sigma Integrated Rule Set (GitHub) a8f93a6a21c54d549a6d042e48c067948add81f96231c70f83cdfa345b1f6cb3 14 0
Powershell add exclusion path, extension and process Joe Security Joe Security Rule Set (GitHub) 177e7b167f988da0ec82090f6aaaa1ad7e74609b6832a0abb8759bc9e652fee2 14 1
Powershell launch wmic via class Joe Security Joe Security Rule Set (GitHub) 1f85dfeaa80a160e0d553a3ac8d1d5139a7622d4d146c43f52eedbe005757ba7 14 0
Service DACL Abuse To Hide Services Via Sc.EXE Andreas Hunkeler (@Karneades) Sigma Integrated Rule Set (GitHub) 31469fa3c8d37b7e80913d07ce5549c9371e193ac3f0d3211f519adbb2de950c 14 4
Suspicious DumpMinitool Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5756a38333b7f693b74fb2c16621de4da8e6e821acbb692ada0984c90768ca6b 14 14
Suspicious Use of PsLogList Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2a651ab66176323248a00a1c8f2e0c1d6e82ebbcb2c316bd3a1bce5391cc6b28 14 3
Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6a048234462e46cb2ce5b49006ff2d3e6f3a58ef583716ceaf74d911b04c1a85 13 8
ExtExport.exe abuse Den Iuzvyk SOC Prime Threat Detection Marketplace b74bcba954f168601bf9276abbb38f732599a67e11aa264ce29f8bc3f056aed3 13 9
HackTool - GMER Rootkit Detector and Remover Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) e47f51603e07d3225e0193822f65d9ce5fb78441750008f7e5ae695626585c7f 13 0
HackTool - SharPersist Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b0c69b8d2020a5d6c12bee42bba9e6d94b6b9045ea1920405133ee19546dbcab 13 0
Impacket Tool Execution Florian Roth Sigma Integrated Rule Set (GitHub) bcdf3f22e3474c8f1ea65e450422f64bc2fb74de766f420de7cd57827679d7f7 13 0
Interactive AT Job E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community Sigma Integrated Rule Set (GitHub) c288d5891a082dd1f38d14b832960d7e1b88651dc301c6985be8e66b561bf95d 13 0
Netsh Port Forwarding Florian Roth, omkar72, oscd.community Sigma Integrated Rule Set (GitHub) 00fb9d21500af7c2b136a91e80c983e8f98843c063a63898c2775d7a5a91efa9 13 2
Obfuscated IP Download Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) ffc754712d43996d8ad6fc8498ab7057e29da0a46860be0cb0daab6dd58f1afc 13 1
Port Forwarding Attempt Via SSH Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) c815b3703c48114366c7be5b543fc8851073e1b27fde789d784a09a657295a9d 13 11
Potential CVE-2022-26809 Exploitation Attempt Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) a212f91d8c2a0d339c91a9344ae02c2847e74c85458506b719d65b59e4e79069 13 0
Potential Process Injection Via Msra.EXE Alexander McDonald Sigma Integrated Rule Set (GitHub) 973e933a4e2394093f5cce603e5ffadbcf35df2afd29c4dc0e1a002e06d9b58b 13 0
Powershell Keylogging frack113 Sigma Integrated Rule Set (GitHub) ed239970ee8d5e197f594aacc2fd6f6f6d3dae189b2b2aaea8c2f5d100939e42 13 6
SQLite Firefox Profile Data DB Access frack113 Sigma Integrated Rule Set (GitHub) aa3ad15f592c022521aa6e4bc687dc3c181cea9b9343b55e1b909bc937113348 13 0
SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code frack113 Sigma Integrated Rule Set (GitHub) 37beaf97b85714dccecd452e684c29d067adea49095ddf3ec6631dc8acf14337 13 1
wmic launch powershell and execute encrypted script Joe Security Joe Security Rule Set (GitHub) 016a456c70d6e45a65219e2ee0e3972cd7104bf98c318e2f088a07f71fde0d43 13 0
External Remote SMB Logon from Public IP Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity) Sigma Integrated Rule Set (GitHub) 676272e187514be2245c3e99449f737c2a5ccd25c5cc68d52d965c7638c25fdf 12 6
Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy frack113 Sigma Integrated Rule Set (GitHub) 59b625af50fa92cc05953cfdf68d6c931bb58a09a058e54757d152acfce5923c 12 5
Possible Applocker Bypass juju4 Sigma Integrated Rule Set (GitHub) b9996fdb64c94bd97526744b8287a3b3b02ac4eceff0980c672209adae0be6e5 12 0
Potential PendingFileRenameOperations Tamper frack113 Sigma Integrated Rule Set (GitHub) 3b132597acd67d1315d83f5f329eb2db40a281a5c93df8881e681ba8d6af5a59 12 0
Potential Remote Desktop Tunneling Tim Rauch Sigma Integrated Rule Set (GitHub) b0551b45d814be91563636b774668bc85acfc296a30640e00aa036f4813d0809 12 0
Use of OpenConsole Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a98f3c123f3a93c1b00c4d125f1350e14a15b206767e6a109767a0229611baa2 12 12
Creation Of a Suspicious ADS File Outside a Browser Download frack113 Sigma Integrated Rule Set (GitHub) c73db505c48b84558f4676b0613f79f5cc2c70db3a96086c3a010c535c245530 11 0
DeviceCredentialDeployment Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 63437b0e9c5e21d2823a28f0a428ee4bad8d30ba59ddbfb9227fe13452f1aebe 11 1
Enumeration for Credentials in Registry frack113 Sigma Integrated Rule Set (GitHub) cf1e24c4e4b805857977d873b41de8cf08d618fa56ffb27ece5e9b41e84807d6 11 4
MZRevenge Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace 34b4fad92956929789617ef0c367187e5950267fc9fb902893bf5a6583ab5439 11 0
Nibiru detection (Registry event and CommandLine parameters) Ariel Millahuel SOC Prime Threat Detection Marketplace 8bbea961d969188574b7fe958c971caadd38b955cc77f21093d7d5d266e4d697 11 0
PUA - System Informer Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) a00758f1aca02cbafe08dfea3c9d6fc45ef3972d7e1ccc41ef3df19293c36d15 11 0
Remove Windows Defender Definition Files frack113 Sigma Integrated Rule Set (GitHub) bde07bc9414d410eaf67f99408a24b51b4b8d186451e641a9a90076cfac22613 11 0
Suspicious Encoded PowerShell Command Line Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community Sigma Integrated Rule Set (GitHub) 09a6527b05920e47aecbebf5df306d1c194b850076e73d74c3b9ead23b654425 11 0
DirLister Execution frack113 Sigma Integrated Rule Set (GitHub) 1f0dfd07d0caa1048bb3bb336c0d72bf884362c570c7a4bd683aa30e5f81ea19 10 1
Drop Binaries Into Spool Drivers Color Folder Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2ef7bdcb98df6e413074966907c161b915f676e3f947a452e418049eeed22b75 10 0
Dump Credentials from Windows Credential Manager With PowerShell frack113 Sigma Integrated Rule Set (GitHub) 5058b79d96d2165425d539e148ae3fe578dfa62b75b71f82ca2bd6bc347be4d5 10 2
HackTool - Rubeus Execution - ScriptBlock Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 98b35d6064ab9d23d69cf136567c9243c969bd5a1bf0f88f94c768bb1c624d71 10 0
Hidden Local User Creation Christian Burkard Sigma Integrated Rule Set (GitHub) 084f8f629ce19b2d68d7e27615e59a3ebea0e92f94d25fffcdf6981152cf5efe 10 1
New or Renamed User Account with '$' in Attribute 'SamAccountName' Ilyas Ochkov, oscd.community Sigma Integrated Rule Set (GitHub) 6c5cfe607309f4bc96c1644752af6a875fd27ea6910ddff26e40a4ae64a26e05 10 1
PUA - 3Proxy Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b64369f53ef70c3d7e1d585af2907c0131463758488f404288df85bbb2891ee7 10 0
PUA - CleanWipe Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ede87d3abc8a99be3ca19ab4102e923f13e3f7b181cde6eddea9e6f1593b1e77 10 8
Potential QBot Activity Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0453733ce01d4d10623584c342bf2a905ff761f1fb7b0bfbadcb80e8d940c32b 10 0
Renamed BrowserCore.EXE Execution Max Altgelt (Nextron Systems) Sigma Integrated Rule Set (GitHub) d41dfd30129ef96d21bf50a0af9161636d21ec67ec25000786a06ba54a7cb7b7 10 1
Suspicious File Characteristics Due to Missing Fields Markus Neis, Sander Wiebing Sigma Integrated Rule Set (GitHub) 608e0e17d25bcba31de608552a073a6677d4f626ab55bce353a686eda3f60bcc 10 0
Suspicious Get-Variable.exe Creation frack113 Sigma Integrated Rule Set (GitHub) d3f846e7661da10674d978e09815c9157764a57fc6651e2b2f8cb498cb4220b0 10 0
TAIDOOR - Chinese RAT Ariel Millahuel SOC Prime Threat Detection Marketplace e3cdbb4de2c006685f06e358196d7f41ab1098005328b93d9834acae72ddaef0 10 1
Use Get-NetTCPConnection - PowerShell Module frack113 Sigma Integrated Rule Set (GitHub) e69f9e383811e595a9561c923eddfc5df48f9e54f4df8fa281fcef6b501048ac 10 5
AntiVM Joe Security Joe Security Rule Set (GitHub) 53c56007ae94680c26786bcd895d2087db975d72635c0646c8e0ee8b2ca6539b 9 0
Code Integrity Attempted DLL Load Florian Roth (Nextron Systems), Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 02c7efd9db64dc8e5d5e82d3bba880a3b1ab9e0fec19e15c668b9a63e1d58fb1 9 0
Credential Dumping Tools Service Execution Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 25727cb75bc931bc91e433f5340be32ccedd13bf460a2fd8da5b1a8d8b4a369b 9 0
Direct Autorun Keys Modification Victor Sergeev, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) b5f76af9d8101930af8d4fee71f3a5395b47eff6bb88e581db02bf890242d79b 9 1
Disable Microsoft Office Security Features frack113 Sigma Integrated Rule Set (GitHub) db422d3f89e405109467a926cbee52085ff1a33cf97bc054529a03a316dafa2e 9 0
Disable PUA Protection on Windows Defender Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 09a64c87ba1b11c75a19c495d100b0ef9fa95955560f0e1b4f9f2842159caaef 9 1
Dumpert Process Dumper Florian Roth Sigma Integrated Rule Set (GitHub) f98998b2f0e9bb08954d741777bfdb257c7cb3dcce96f88af84ecf966e2e5695 9 0
Enable Restricted Admin Mode To Bypass MFA (via sysmon) SOC Prime Team SOC Prime Threat Detection Marketplace 7b0a12d70498be6b75106baeadc6572fa8f03b6e6ce96998c3c84f14e5dd19a6 9 5
Geofenced Ru Joe Security Joe Security Rule Set (GitHub) 562da91a76462659002a010f3f5e20f6ea8d3c7771e342dce7b3d0b5b2421eb8 9 0
Import PowerShell Modules From Suspicious Directories Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8d3babfc30026e6742962ab48698047f9a8036f0689ca28804828a0f4c74c1a6 9 7
Inveigh Execution Artefacts Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 04a3ff78807e08f6f792e8645f0d500d0b8ee72ef7ccf43d29295bda7cfa1c51 9 0
Legitimate Application Dropped Archive frack113, Florian Roth Sigma Integrated Rule Set (GitHub) 0b57c6b31ce9eea5f85c018839666b92eb3444ccbb55a5d93f7b89a74cb7daf6 9 0
Locked Workstation Alexandr Yampolskyi, SOC Prime Sigma Integrated Rule Set (GitHub) b1f5ca9566ca9b549b32bfe57eee2e7ec1ae42a47aeba5cdf24c69c64e35dd5f 9 3
Microsoft Sync Center Suspicious Network Connections elhoim Sigma Integrated Rule Set (GitHub) c122f750d19364e5cdb16e7fcce3cd01da31e9d258cfd5dc255864758d7d44b9 9 0
Potential Keylogger Activity Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6e703d50e111ee23983e8b6aa4d4451e1e59158b2bb8bd0c0a7bbe38c708c4e3 9 2
Powershell Trigger Profiles by Add_Content frack113 Sigma Integrated Rule Set (GitHub) 9ed950c94ef5dce1af4ac6ba1eb25704edd170e1a75506e3095eb362e63eab6b 9 6
Query to GoToAssist Remote Access Software Domain frack113 Sigma Integrated Rule Set (GitHub) 543100b86d56272595d663cd87539f09fb01e9ce06b5d847c2bc9ad88710b17f 9 9
Registry Persistence Mechanisms in Recycle Bin frack113 Sigma Integrated Rule Set (GitHub) 661375a6a064f858d66665c13895d00ce56bb356ccda48cbc40727b9b6f4e220 9 1
Shedule powershell with encoded command parameter Joe Security Joe Security Rule Set (GitHub) 915a39321a250831a95cbb6b6598214820d1be1095aee6555106a9ca7d02a36a 9 0
Suspicious Scheduled Task Write to System32 Tasks Florian Roth Sigma Integrated Rule Set (GitHub) 3da113395881b8606ab35684394038c9c59eb8dae1b899ed92a2c40df104f5aa 9 2
UtilityFunctions.ps1 Proxy Dll frack113 Sigma Integrated Rule Set (GitHub) 49b5176aaffe3fdb7bacc0dff70b5ac48bf0872faf993e311c4f5530db76a160 9 7
Winword Drops Script In Startup Joe Security Joe Security Rule Set (GitHub) 04a0af687c3b9094f9252dc38ead308fae7facf86cb7e4bf728075c9b17ed9dc 9 0
BloodHound Collection Files C.J. May Sigma Integrated Rule Set (GitHub) ea90a9d0a5b0365173a60c78d15843211f9bc89dd93a164a6b464b66d82da85c 8 0
Delete Important Scheduled Task Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4b6a191a02d514b34f125957168469a325b2720a4b3592aab7d5528aa5afad64 8 3
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script Tim Rauch Sigma Integrated Rule Set (GitHub) 3fad126ae93b8bb078502d36cb4e234c89c2539784bb1f8e446e615d3f54c186 8 0
Disable Tamper Protection on Windows Defender Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) bf1de3b61466c6018ee71be3f901fb544ddb30709a256ce88ddc19444b5a1ea1 8 0
Execute Scriptlet Via Regsvr32 Joe Security Joe Security Rule Set (GitHub) 568224310775bb02fb9ae53d55d8f7c8bc1daf93e73db7670b15f8b6f421f00d 8 0
Findstr LSASS Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) e3175b1068c342ed7e05a42913dc8cb72ea0167a81bf24fc620261d4ec40f78d 8 1
Meterpreter or Cobalt Strike Getsystem Service Start Teymur Kheirkhabarov, Ecco, Florian Roth Sigma Integrated Rule Set (GitHub) 22ddfce5e8a79e957f4dbdceb97e27d764b010d395a20fd45cf95a20d02b53e9 8 0
Nslookup PwSh Download Cradle Zach Mathis (@yamatosecurity) Sigma Integrated Rule Set (GitHub) 6abd8206d99c8274a0842b1790664265abba050503b2bbafabfd33fd68b91cf0 8 1
PUA- IOX Tunneling Tool Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) df765eaa567c547d6a5b1ade1739bfcb54c5c9a76cabb60de34451560bdaf198 8 0
PurpleSharp Indicator Florian Roth Sigma Integrated Rule Set (GitHub) 8cdb5f2da7eb9e3002ce4bbdd8a373b7dcd25103b4373f9b672e54f74c5316e0 8 0
Remote Thread Created In KeePass.EXE Timon Hackenjos Sigma Integrated Rule Set (GitHub) c7b5dea156bee8e6c2b83c210e6135eea01b42f8c08ec3f18fd04046036bf973 8 0
Sdiagnhost Calling Suspicious Child Process Nextron Systems Sigma Integrated Rule Set (GitHub) 4254515e2214920c73b9dc8a7c9f084744461c248ca9e42ffb9e113d325a2615 8 0
Suspicious Process Start Locations juju4, Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) 7776601555567f764fc3e22722bef1fdde521b5bdff9fff38f9031e9a3f7ce54 8 0
VsCode Powershell Profile Modification Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 59db8591e12ce774c3ed205213760eb2341a6314257edbd898e991ea42d98e80 8 8
COM Hijacking via TreatAs frack113 Sigma Integrated Rule Set (GitHub) 849823df2c9dd0af3b0d2474c1008165e48a5accc0c613e62140502a1eb678d8 7 2
Decode DLL Via Certutil Joe Security Joe Security Rule Set (GitHub) 512a021b2a6002cdc06a23350dd7744a78311e5eacbe59b19864a594b50fc33e 7 1
Deletion of Volume Shadow Copies via WMI with PowerShell Tim Rauch Sigma Integrated Rule Set (GitHub) c7ad5ab5203e14414fcbfb23542125d64b7aca04b7afe48d594ecb9b7c117ec3 7 0
HackTool - LocalPotato Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 3830810896e4e4a4cb02898a844b8488dd8240175e569b96a950d8ae6bcb9c88 7 0
HackTool - PCHunter Execution Florian Roth (Nextron Systems), Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) 8046d8e3f3ef408857439eaf28938b362576b464ba00290a73789cfc2fb05d9d 7 0
Hidden Tear Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace 6416d92c1d6493914510053de27fbb52201520df66cac075111034d37aac4194 7 7
Notepad Making Network Connection EagleEye Team Sigma Integrated Rule Set (GitHub) eebf53f371a18d7f8d6992a935d2fbfe811f3d78552949a0597456693cffd553 7 0
PUA - Sysinternal Tool Execution - Registry Markus Neis Sigma Integrated Rule Set (GitHub) 35df1aeee1f1078e25bb64a8af513db99a7df8736e4847041fddacedf6b747c9 7 2
Potential Data Exfiltration Activity Via CommandLine Tools Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 10f9b0f9e2b7be69811ff067e358984311772914e6957f50adf963207948fe4e 7 6
Potential LSASS Process Dump Via Procdump Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) a6a60c80601bd33b44e65b559f9e53c0b9237ab7f54ca97530065cd494662e3b 7 2
Potential Recon Activity Using Wevtutil Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) df4c82057d61dd45f1a9a17a781614a8918ad397600ddeee25a1615fb75459e8 7 4
Potential Suspicious Windows Feature Enabled - ProcCreation Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 357a1509ab7f78c2a398c655fccc9dc788108fb9790efbdce90601bcd6d4b4de 7 4
PowerShell Get-Process LSASS in ScriptBlock Florian Roth Sigma Integrated Rule Set (GitHub) cac21fdc92116671a9e24502beff8b3cc9b77c6d7a23b8f10aefa65821fd9014 7 0
Suspicious Process Patterns NTDS.DIT Exfil Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 9c132dee2c953c2d2497b3e00b2cf2309bc1f44409b130f0e34af66f9edf8713 7 1
Suspicious Reg Add BitLocker frack113 Sigma Integrated Rule Set (GitHub) 1e5c4651907cea569ba4493fc4d9c634d654da730dcdfa36412180bfb694dba9 7 4
msiexec download and execute Joe Security Joe Security Rule Set (GitHub) 80df93b91d026bd6faf3f28497aecc8b5a81a6553fe9336a204b11f4dcef8733 7 1
CobaltStrike Service Installations in Registry Wojciech Lesicki Sigma Integrated Rule Set (GitHub) eaeadfa6378455d35bc7d294a678cf68a5a8c6c2b5417d038a80d96bdf2e76de 6 0
Disable Windows Security Center Notifications frack113 Sigma Integrated Rule Set (GitHub) bdccaff58cca68f197ac8f69e4b633c0bb114e3868020f4970296aa9e2866485 6 0
DumpMinitool Execution Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) dd9440afb1ca0cf7997134c36af074fb136e90414cfd1d56903ab43e8c52b253 6 6
Execute Script with spoofed extension Joe Security Joe Security Rule Set (GitHub) 206390e3b1deba575d9f4b3f8321fd015223f5177a8f486a56f6d74cd51afab4 6 1
HackTool - Jlaive In-Memory Assembly Execution Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) Sigma Integrated Rule Set (GitHub) ef084ef7df4d6d338332a4adf3272c6d7b031a4529a2d7030ec19c2a0e0fe9fa 6 1
HackTool - SharpImpersonation Execution Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 94b769b76d6dca121622b8559c3f5ed337893a1ee9dbbe67442d2f649a373b42 6 0
Malicious ShellIntel PowerShell Commandlets Max Altgelt, Tobias Michalski Sigma Integrated Rule Set (GitHub) fd4e3cdd5f9ec511509a9b456f37f38c1e40597b044a8b780d338b09445fcf05 6 2
Potential Exploitation Attempt From Office Application Christian Burkard (Nextron Systems), @SBousseaden (idea) Sigma Integrated Rule Set (GitHub) 5b693c1a0e1c87bcc7e8b870deef8f3f2c0aa4be921233e7ff5379f3b1f85dfd 6 0
PowerShell Module File Created Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ac9471aa53e0850fa4b5f9ae701b9d20783d5f3762aa950efee3d94d5f862283 6 3
Powershell Store File In Alternate Data Stream frack113 Sigma Integrated Rule Set (GitHub) dabcdcdecebe87ed3085b193d3ed09029f3556672622b42d5759dc816f0b6173 6 0
Powershell download and load assembly Joe Security Joe Security Rule Set (GitHub) 32fcfd50f2fcf0aa58bebfbfb09b7e32b7349a17a5c1aaea5b18783f458c4e9d 6 0
Privilege Escalation via Named Pipe Impersonation Tim Rauch Sigma Integrated Rule Set (GitHub) 109e6e5533daa3625414a7f58f6a8b34392f3050c582146cfe13876cc85fd9df 6 0
PsExec/PAExec Escalation to LOCAL SYSTEM Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 95ab10477326346ad231600df85597b403502c24947739b6a2b5bf75469a3024 6 2
Recon Information for Export with Command Prompt frack113 Sigma Integrated Rule Set (GitHub) e49a78894a2986a5fb30eb4ab25cd648d87db2a35906c29afc8fa6d7664f5e63 6 0
Security Software Discovery by Powershell frack113 Sigma Integrated Rule Set (GitHub) f02d9a0f1e4d862f9d1b1d10a2f43de36d855212d5a70b671a8493d53a1b1722 6 3
Spora Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace a656aafe4c0cca78f1ad9cc5fe8f97b01ab237e247591a7100edef559c032f30 6 0
Suspicious Export-PfxCertificate Florian Roth Sigma Integrated Rule Set (GitHub) b1cd37588678d9d180fae5e3ac98088d0fb94bcf137b0f6b423ba503b9c48334 6 6
Taskkill Symantec Endpoint Protection Ilya Krestinichev, Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 8cab8c8e34c5bf6c9ad0f509a28ebf3139e2d73c3b69078e57a1a63a0d5465f3 6 2
Use of PktMon.exe frack113 Sigma Integrated Rule Set (GitHub) 2718243600ba0f2b3eed38a165f571cb8da2eeb23fd54844632d62088a47ad03 6 6
Wlrmdr Lolbin Use as Launcher frack113, manasmbellani Sigma Integrated Rule Set (GitHub) 67d3612b65ef2b4db5ee2d86f8437cc82d5e33395a852f7540858df8738250fe 6 1
Adwind RAT / JRAT Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) a7648695383d3c54094a9a623178342f9965ac5977fdf3c70016e06b5d12fbdb 5 0
DNS Query for MEGA.io Upload Domain Aaron Greetham (@beardofbinary) - NCC Group Sigma Integrated Rule Set (GitHub) 8c60cfcbc7464b6af5d7b236a49a53fbfde22feb2036abbf947df7322a7343a0 5 1
Detected Windows Software Discovery Nikita Nazarov, oscd.community Sigma Integrated Rule Set (GitHub) 01357d5e887b9f5de970cbdf4e5303b1faff6ff0de49e5ae4c516f933c8a951b 5 1
Equation Group DLL_U Export Function Load Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) a6d1a36dcfe72a6d78f5dd3b78c79bc294296460a9b3adcd993bdd6409046c7f 5 0
File In Suspicious Location Encoded To Base64 Via Certutil.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 01705d905ff73214a70aaa5cc788cda6fa3195220319780605c2ba2c7afdacd0 5 1
Hidden Tear Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace e2c2e16d85599543e91b4dc9d25bd09e1b1ba61cafa1810a31073a40c91da39e 5 5
Hiding Files with Attrib.exe Sami Ruohonen Sigma Integrated Rule Set (GitHub) 5c3ea6806114163b8cdf5735aeb07e702ab63e0e486f721df84cf675e2b0a04b 5 0
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Timur Zinniatullin, oscd.community Sigma Integrated Rule Set (GitHub) 7943e73e12090a40bcc5a95e498a4655704cd76a8f1cc15acfef595e7f85a442 5 0
Lolbin Defaultpack.exe Use As Proxy frack113 Sigma Integrated Rule Set (GitHub) 33c04ff56fdad87a0289647b36de2841f4a6fa4866c8656a4005c9f9048ce732 5 4
MSExchange Transport Agent Installation Tobias Michalski Sigma Integrated Rule Set (GitHub) 7e012de38821878c4217e8f825643266daebb69300fb51da895c540db3ca6916 5 3
MSHTA Spawning Windows Shell Michael Haag Sigma Integrated Rule Set (GitHub) b9bc90b7745bcb3a2cf9de40d1d419d18ead6650040015c7f4755848e9bfdb05 5 0
MSHTA Suspicious Execution 01 Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule) Sigma Integrated Rule Set (GitHub) 7a63d1c1bf6ebb277b02d4893066d3732e3d7df562cfdbfee275bbc5c4de0951 5 0
Modification of Explorer Hidden Keys frack113 Sigma Integrated Rule Set (GitHub) a264eb1ecc5d771f6348e8cadd3e5508323440b132da9cd70e3c579354eb50b2 5 0
PUA - Wsudo Suspicious Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 52ed387697917fea6508ac90f395dedf45d52b74d34188d52bf6be42b4ab9697 5 0
Potential Initial Access via DLL Search Order Hijacking Tim Rauch (rule), Elastic (idea) Sigma Integrated Rule Set (GitHub) e6d0eea0a68b5abc52d30a4b096e43a13457c330945c48f0e430af2cc2e61bfb 5 4
Regsvr32 Network Activity Dmitriy Lifanov, oscd.community Sigma Integrated Rule Set (GitHub) a9fd3d8b393121d910bdb6416807881b8e231fde412098c46594fc45821d23ce 5 2
Regsvr32 Network Activity Dmitriy Lifanov, oscd.community Sigma Integrated Rule Set (GitHub) e7df5abed193d7732536dcfeb0d58fbdfd844ab7c3ddd6186f9afa9ced7a6f61 5 2
Remote Thread Creation Via PowerShell In Rundll32 Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b6b512a36600d72d464945b37dc5edcb606a3e429979c7f50e117d9a428ebaeb 5 0
Renamed Sysinternals Sdelete Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7d63599d287fda108a45075e54ff5b89384e0fbceef8bccec56b981f485b278c 5 1
Replace Desktop Wallpaper by Powershell frack113 Sigma Integrated Rule Set (GitHub) 0f1aa746beaad206dc77bb8542a498967f1fb26e0677a3fdf90cfd5cf5c22a75 5 0
Suspicious ConfigSecurityPolicy Execution frack113 Sigma Integrated Rule Set (GitHub) 5b2e321b4ad7aa35a23d2181a655941dc96ea260435a6e1663158a7b2182a9fe 5 1
Suspicious WERMGR Process Patterns Florian Roth Sigma Integrated Rule Set (GitHub) 993d5c8b52bb82b1de2604204add68928f1fe311e3072e4e053d6dfb969e33e7 5 0
Clear PowerShell History - PowerShell Module Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 2169a242b9139d712fde6f31781a606f5f50af9d5dd7474d415ae08a0cf96fb7 4 0
Conhost.exe CommandLine Path Traversal Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ae01473f6fb2564e81d4c6e62699b0c4458725e8a9aa178c9ac3841d5af3b1fa 4 0
Copy From VolumeShadowCopy Via Cmd.EXE Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) Sigma Integrated Rule Set (GitHub) afa46c9c99b3c76a0450a8c7dface8fa7a53dda1c62644f81fd73ced0a0d096f 4 3
Fsutil Behavior Set SymlinkEvaluation frack113 Sigma Integrated Rule Set (GitHub) b479dbc5f99a688a740ef0586d12870ce1e3a4a5449727bcb3c11bb1510b6e8e 4 4
HackTool - Impersonate Execution Sai Prashanth Pulisetti @pulisettis Sigma Integrated Rule Set (GitHub) ebaee3629e5eae35e0043057b3b0fccc4f2831eaadec57c3280dc181b3683c7d 4 0
HackTool - SysmonEOP Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6fbc0321364b37bef63538725c9c7e8e9c0702db310e3060a5da9d201d72a796 4 0
MavInject Process Injection Florian Roth Sigma Integrated Rule Set (GitHub) f7232cef6ad5bca28b27340de367589ba9ef580c1abb6dd69d8f2005a6473a4d 4 0
PUA - CsExec Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b2300d5d918bfa55070c1a6c9eef5422d85306572df402f76d8549d97778851a 4 0
Potential Compromised 3CXDesktopApp Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ae1d35c3cca80cd7625db9f23535aeb938e4401d7c63e6a938329fb4c3ccf55b 4 4
Potential PsExec Remote Execution Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 534500853b096a12173d832563555b71c1116d432b7dabba079946461ef7e617 4 0
PowerShell Write-EventLog Usage Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) fa5822a3aeab0960eda08e8d46a8126db47dc54aa6a0e0ae7a7163dc7fe9746e 4 3
Ranumbot Trojan (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 9adcf2b748c0913ce46ec2734223045df982e2a86948b8740a48edd412720e70 4 0
Recon Information for Export with PowerShell frack113 Sigma Integrated Rule Set (GitHub) 713f92f086b68096c3f56ca930b031275ba60fcd9b0986dca0e69d63a349fe11 4 4
Renamed MegaSync Sittikorn S Sigma Integrated Rule Set (GitHub) 5ed404c9cabd248ba80d6d5852fc81ff9c668726a632eb06be9595bd5b80d869 4 0
Renamed PAExec Florian Roth Sigma Integrated Rule Set (GitHub) 58a87adff5b80f1f00537e13c96a7a3ca3c24b661fb3d6f998ed9a120ad72ccf 4 0
Sensitive Registry Access via Volume Shadow Copy Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2904a54d46badb30ae1eda5e935bcbcc71f8a08303a31fb68bf9e1fb8f0f0858 4 3
Suspicious Certreq Command to Download Christian Burkard (Nextron Systems) Sigma Integrated Rule Set (GitHub) 90480b0d96dd273a177b536ad0b17f114b0426bdb4c6e04d4692da954658bac1 4 1
Suspicious Plink Remote Forwarding Florian Roth Sigma Integrated Rule Set (GitHub) fd6a0f7521cf3dabf0d2ac45a1aed9f2e2029daa9d1fba9f71905bb34aa427ca 4 0
Suspicious Registry Modification From ADS Via Regini.EXE Eli Salem, Sander Wiebing, oscd.community Sigma Integrated Rule Set (GitHub) 7d40150efe45672b8a7928c4d3ccb55e1238e89ead72dc4a08390a907fc57c17 4 1
Suspicious Rundll32 Activity juju4, Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) 0d7b38274ada42870a9b5fe59433cc701b21c18ef543b8c653d2e5dae0f93c0e 4 0
Suspicious Unattend.xml File Access frack113 Sigma Integrated Rule Set (GitHub) ab4f3a9eb0931d1b25be0e6ec70048514d987acda1b98b078b334de53d084360 4 1
Sysmon Driver Unload Kirill Kiryanov, oscd.community Sigma Integrated Rule Set (GitHub) 7729210ddf59514a2d5ae300b6b3c3cd9b836719c40091d770a3b08bef6d735d 4 0
TeamViewer Remote Session Florian Roth Sigma Integrated Rule Set (GitHub) a8298e7cd8ae07e912b976b51f53ec407301b782a18845c32270523946510c52 4 1
UAC Bypass via Windows Firewall Snap-In Hijack Tim Rauch Sigma Integrated Rule Set (GitHub) 6394e0e9f8661be1f0a1006d948fbd4f1430543e592ee7fb29a34a6c6fded839 4 0
WMI Reconnaissance List Remote Services frack113 Sigma Integrated Rule Set (GitHub) 122d74917c1ba5d7e854a6a25e2ce8bd997bfe1398c7b5ddaaecb88edf02edd8 4 1
WScript or CScript Dropper Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community Sigma Integrated Rule Set (GitHub) 2020feadc9b3cf47558c219948361d9d3eb5347af91135f21bf711f6032bc817 4 0
Adwind RAT / JRAT Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) 211f7156257e48d853aa431ddfc3fc7b86ca8dabc95f61553575d821ab58fd76 3 0
Atbroker Registry Change Mateusz Wydra, oscd.community Sigma Integrated Rule Set (GitHub) 15ae81a84c9a92e5ffb3bc1c4cecc28883ece49fc1ceef55d745ac094ece0622 3 0
Automated Collection Bookmarks Using Get-ChildItem PowerShell frack113 Sigma Integrated Rule Set (GitHub) 9fa49f4a1e9253459c99846a03ce69d8e029b42640efba5e158e2455b6c0f5fc 3 0
AzureHound PowerShell Commands Austin Songer (@austinsonger) Sigma Integrated Rule Set (GitHub) d745e174b185bed59eeb7c26c061f86404d4a74607b523973b17ee01d22e665f 3 0
Blue Mockingbird - Registry Trent Liffick (@tliffick) Sigma Integrated Rule Set (GitHub) 047c4b3f6b03d9a7cd611e4baaeffab7d6854460859ecf302466ae225ddaf2c7 3 1
Communication To Ngrok.Io Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0aaab6e75614dc39c58e45ef5b3a7f0a1e455ace3bb9041e837370214a92ef58 3 0
Creation Of Non-Existent System DLL Nasreddine Bencherchali (Nextron Systems), fornotes Sigma Integrated Rule Set (GitHub) 3177080de9eacb01db500eb08111e0cbe691a57ed11d8bbeffacd6e8ef6e9b2f 3 0
Drops a DLL with WLL extension to the startup Joe Security Joe Security Rule Set (GitHub) 0a0b097696bd0b36b7d1443e446cbff6c2146d7a93cacaf2838ed0fe366b61d9 3 0
Emotet RunDLL32 Process Creation FPT.EagleEye Sigma Integrated Rule Set (GitHub) 4e5ef297fadbdf1fbd3c57b71841275af9687495d2f45e59fcbabdba98315434 3 0
Execute MSDT.EXE Using Diagcab File GossiTheDog (rule), frack113 (sigma version) Sigma Integrated Rule Set (GitHub) c4a1cabbd4c25e14be0bd98c5770d2e94ad2885f8f505bddcd03978cf4ba0905 3 1
Execution via WorkFolders.exe Maxime Thiebaut (@0xThiebaut) Sigma Integrated Rule Set (GitHub) 50d292f837567defe72f24a4b91ee437943cd8f35d5aedcf15979d3d253d38e9 3 2
File or Folder Permissions Modifications Jakob Weinzettl, oscd.community Sigma Integrated Rule Set (GitHub) d1b3909fc498977f2008254e9e38903c16568e7a8aaaeb2eb0d1d4f155373408 3 0
HackTool - Quarks PwDump Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 83fcbb048fc301513c7de88d6b54f969a6cbb28bee2de22baf8a56ee7c454e81 3 0
HackTool - Sliver C2 Implant Activity Pattern Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 37af4676baf9c863ccb2ca099ad1368020d8f1969b80a3e8a21065525136ff56 3 0
Hidden Powershell in Link File Pattern frack113 Sigma Integrated Rule Set (GitHub) 9e321ddc9cddac65fd520665184681e53aedaf0652832edb168aa27ac04e59ca 3 0
InfDefaultInstall.exe .inf Execution frack113 Sigma Integrated Rule Set (GitHub) f6602c9cc48a37aa44fbfc4ffe4560e8f37e1934e365a235af4ae61c9571ded1 3 1
NirCmd Tool Execution As LOCAL SYSTEM Florian Roth, Nasreddine Bencherchali @nas_bench Sigma Integrated Rule Set (GitHub) 40d85a90edfb89bec5045c66b822890370973192e8b0e6b11d87926d3c70c18a 3 2
Office Macro File Download Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) aaba58981e0428da3913c964606d7609d2f2b2553131eb76cbc3b1fbc611008a 3 3
PUA - Crassus Execution pH-T (Nextron Systems) Sigma Integrated Rule Set (GitHub) 43a1d4f767ed0c719d573fd6ddfd62abcd7f8ebc365f97d7c2f83f9a7eeac91b 3 0
Potential Persistence Via AutodialDLL Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 164cdc408856848b0eb1ce6165a865e2b8dbd9fcf0b5aa393fd7f1af640ff05e 3 1
Potential Signing Bypass Via Windows Developer Features - Registry Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) bc27e2c02d1cb4d2eba75aa1668359b5caaafc79eb2531bdbe54410d63d727f3 3 0
RDP Login from Localhost Thomas Patzke Sigma Integrated Rule Set (GitHub) 3895d9722610797e2eb09dca91e1a804bb4eec6cc1ca5b81a937f13e4adc81f6 3 0
ShimCache Flush Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7755af8c0fe9118bb510e5bd0317a174fc59e613270dce762bbc67cac8f68d15 3 2
Suspicious Cabinet File Execution Via Msdt.EXE Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113 Sigma Integrated Rule Set (GitHub) 4c0f8984146566700f953eb45fc4781e3347270de34abc6768ebafe2403c457b 3 1
Suspicious Minimized MSEdge Start Florian Roth Sigma Integrated Rule Set (GitHub) d67139d73a6d7369e526a363923c3f504c081ba52a8f8556080f518c4302090f 3 0
Suspicious Splwow64 Without Params Florian Roth Sigma Integrated Rule Set (GitHub) c4e0758476210a09a3e470db05d2cbec0aebd511e48d351685c75970566f894f 3 2
Suspicious WindowsTerminal Child Processes Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 38cc71193a6a791f4d2ddb67fdf3a6baafab25ec9f4c861b11fbdca1c94a3f08 3 0
Suspicious desktop.ini Action Maxime Thiebaut (@0xThiebaut) Sigma Integrated Rule Set (GitHub) cdd5a8ff564f3632d9613d1f4925baca8be40a01fe14c7ba3e30f51bf1ff3829 3 0
Usage of Sysinternals Tools Markus Neis Sigma Integrated Rule Set (GitHub) 1e33259c56ec61269739a1b6f2e7e13760703a505f60b194702ff716a6fe0fbc 3 0
VMToolsd Suspicious Child Process behops, Bhabesh Raj Sigma Integrated Rule Set (GitHub) bd7b9679a8b4de81c85050399fe9679a23a1ea3bb48ef31509d208152db750f4 3 0
WerFault LSASS Process Memory Dump Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 698bc272479b99ab8911efeb4b32e6de83a3fa47b310e5829ce6e8ff5702b1d2 3 0
Windows Defender Threat Detection Disabled Ján Trenčanský, frack113 Sigma Integrated Rule Set (GitHub) fd0a272556e2d962e1ecfb8d8fa8ab6f1d728c870db382b0b56dc04e7bf20317 3 0
Windows Shell Spawning Suspicious Program Florian Roth Sigma Integrated Rule Set (GitHub) 80bbf1ed6106205ab2926430c9634286f976b2fee4357dbacddec45b979a4422 3 0
Wmic Uninstall Security Product Florian Roth, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) deb3cdf84cc34aa311e6bb923cb0b259584940b4e6d724a32706971b5147607f 3 0
APT 37 Ariel Millahuel SOC Prime Threat Detection Marketplace a5976bfe7c4ff52e5b70711a7444670a4f2d462e99bd30d3c6950495e32018ac 2 0
Add Windows Capability Via PowerShell Cmdlet Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 684b246bdb157e11d1985c522a8f891d7dfea0ec8d30864c9e2fe04cc9564973 2 1
AnteFrigus Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace 8b18641dc7819baf3c131b24088048e3cf6ac0f5946f136a2c0b0b36a3754141 2 0
Arbitrary File Download Via MSPUB.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a70e1836669aefe4c5a9b48179c7a3c4857505b87dbf8a3bb424d268fa80d857 2 0
BlackByte Ransomware Patterns Florian Roth Sigma Integrated Rule Set (GitHub) 84b39fa5fbd9d5726548c90280f53428562a3fef57fff40cbb48ae96cbd05757 2 0
Creation of a Diagcab frack113 Sigma Integrated Rule Set (GitHub) 76466a8380202538b40850a954fbd8b6bab964c61bff3742c35d8a8e0bc582fe 2 0
Evrial Stealer (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 9d5974817e9c9eeb05c8b60f23de31930c84cb3eb8d247767b7fe7bdbec4ad23 2 0
Excel Proxy Executing Regsvr32 With Payload Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) Sigma Integrated Rule Set (GitHub) 368433c7157e0778f035c6c8b5a6cd0f273d860606bfa36f632144c7050b4c7d 2 0
Excel Proxy Executing Regsvr32 With Payload Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) Sigma Integrated Rule Set (GitHub) 769fe648255c0a237ee125f74d2685b54cf7799f6b5cffeae1f2fee47164091c 2 0
Executables Started in Suspicious Folder Florian Roth Sigma Integrated Rule Set (GitHub) 934747e347848f3bf5d2222f0c29c4c6e42831b94a6e0ce77ff40017e5f11fd2 2 0
Execution via stordiag.exe Austin Songer (@austinsonger) Sigma Integrated Rule Set (GitHub) c012b058c607c697ab3013783a9a418dd2b233fa1f22ea4f8160238a19c65577 2 2
External Remote RDP Logon from Public IP Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity) Sigma Integrated Rule Set (GitHub) 49aec14518e31487cacf1b97c8d227e4485f822a6a30d04b3fac2c7c145dbc74 2 0
HackTool - SharpLDAPmonitor Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) e45b16fd030f52e69c512e3570de6d000efb8a0e03c4073637e04aa773354410 2 0
HackTool - Stracciatella Execution pH-T (Nextron Systems) Sigma Integrated Rule Set (GitHub) 91b5e23483ca6c8edbfa31c7fb6978213e819e3f968f35d109a7fb75c36c3deb 2 0
HackTool - TruffleSnout Execution frack113 Sigma Integrated Rule Set (GitHub) 2f2b803c7e154a72c734f5b9d5c3d332b3174757ed624c55dad5a52ad36934f8 2 0
HiveRAT detection Ariel Millahuel SOC Prime Threat Detection Marketplace bfa9006c02a3c62043c1bd4c10f77dd29fc786bc22855e00928082034c4307cc 2 0
Invoke-Obfuscation Via Use Clip - Powershell Nikita Nazarov, oscd.community Sigma Integrated Rule Set (GitHub) 1c3ea7c0333da16496964e50a5e57012a3b70695f952212351e08d08530da6d0 2 0
JSC Convert Javascript To Executable frack113 Sigma Integrated Rule Set (GitHub) 2ff165b71352ba7322e48c1d765629db5ccf8ba92e65a3ab9a4d375da0846a6b 2 0
Mounted Windows Admin Shares with net.exe oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga Sigma Integrated Rule Set (GitHub) 816c82737c8262b4f167d02b04198105def46bd23ea282a655786d387e88118c 2 0
New Hidden Tear ransomware variant Ariel Millahuel SOC Prime Threat Detection Marketplace 92dd4e3ca17ea4f0bdfb71304a8fcbbd234749a15c0c26579fac17253c4b2463 2 0
Potential CVE-2021-26857 Exploitation Attempt Bhabesh Raj Sigma Integrated Rule Set (GitHub) 6a562c9f35089d87a91ec35ae35044bfb9902969d69d04e8f50b1e9f2b14b4d0 2 2
Potential CobaltStrike Process Patterns Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) f6b39e4a331f85ca7590bf725ff05b84567ac82eecf2ef761c60e4baed042482 2 0
Potential Credential Dumping Attempt Via PowerShell Remote Thread oscd.community, Natalia Shornikova Sigma Integrated Rule Set (GitHub) ed3831d20478d9b3e7a4bada4351902574fc0eb36fbfd51032119c477b94e4fc 2 0
Potential Defense Evasion Via Right-to-Left Override Micah Babinski, @micahbabinski Sigma Integrated Rule Set (GitHub) 8c9d950be3588ee779f57d3c33f03abbaa5ab145cac1a897bfa816cd0745a1c9 2 0
Potential Dtrack RAT Activity Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) fbcabbd5b0fb4855de3b0bcf6bd58239facf0733ad46f2269ef540d344acb5bb 2 0
Potential Persistence Via MyComputer Registry Keys Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) f776409e7a0ad2cd5dbb2241bddedc4d94cffb55043ccb0254fd7266f7f10720 2 0
Potential PowerShell Execution Policy Tampering Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 49b185e25e68c30cebd01a44e72bda0c359c132bb364ef487a935de293813a78 2 0
Powershell Exchange Snapin (via cmdline) SOC Prime Team, Microsoft SOC Prime Threat Detection Marketplace 1920836da8784b3f635f88d7c9216b6619a5f5613a5d53fefb342c817897a736 2 0
Powershell WMI Persistence frack113 Sigma Integrated Rule Set (GitHub) d31a6afb995dab0473ccaefae327155cd4ba87afbabf6a872553475c50bb7182 2 1
PsiXBot Malware behavior Ariel Millahuel SOC Prime Threat Detection Marketplace 63753d667c596fd59cca6de277c7a4f8062dd47fb2ae19a1efdda0cbb8d7692b 2 0
Regedit as Trusted Installer Florian Roth Sigma Integrated Rule Set (GitHub) 40b85d8543b5dc00f22211f0dd2f05012b435d38fd8e170370986c189a9b39f2 2 0
Removal Of Amsi Provider Reg Key frack113 Sigma Integrated Rule Set (GitHub) 29e103486311c7c5f253e500ab6386c2aba984cb782efe903a88f082d3f70254 2 0
Renamed Binary Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades) Sigma Integrated Rule Set (GitHub) 686a5b6d5e098e507256a7207e9e4a237bb378c824f67f13ee0402525833b257 2 0
Response File Execution Via Odbcconf.EXE Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 18ab8cf17024175e4f1d5ec237de24dcfb16890beb4847d0e90e79e0c59cfc85 2 1
Startup Folder File Write Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) 56b8c79acb8e444c2b00be5c9d3cb8e33e863ccb3506d635f907a49cd053c84f 2 0
Suspicious Copy From or To System32 Florian Roth, Markus Neis Sigma Integrated Rule Set (GitHub) de683a6054ff03b9c12e58c842648f759cfcf797f91dc01078d285e8f3f8e856 2 0
Suspicious Extrac32 Alternate Data Stream Execution frack113 Sigma Integrated Rule Set (GitHub) 908072bc38c223e94e034ac7acafdfda27359b429525af331f388a7ef0e2b66c 2 2
Suspicious File Encoded To Base64 Via Certutil.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) aa7741239d7d626a6e7b92ca2405578c580c500eef1489d3115aef2b00b667d1 2 1
Suspicious MsiExec Directory Florian Roth Sigma Integrated Rule Set (GitHub) 709fa572c6d4a06b81742c9cefd264b1debafc1f9b2aedc9798d5cb749d52458 2 0
Suspicious Mstsc.EXE Execution With Local RDP File Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 205a65cd894184e7d2a59da78310f8cb3262995f30c3015a05293c7754e5916c 2 0
Suspicious PowerShell Mailbox SMTP Forward Rule Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a9b0d95e9a34c915ab22d89c790c054977cd6411f4fdebffa6e36f09e5376c9c 2 2
Suspicious Processes Spawned by WinRM Andreas Hunkeler (@Karneades), Markus Neis Sigma Integrated Rule Set (GitHub) dff6f482b1c3296a1eba449d732fe05e7b9a61f56c3849298ee9d06cec81c941 2 0
Suspicious Program Location Process Starts Florian Roth Sigma Integrated Rule Set (GitHub) c593fd1eac248d2f05a155e6c8ef2682b9022a12bc03104ff8e9e7c40f585268 2 0
Suspicious Program Location with Network Connections Florian Roth Sigma Integrated Rule Set (GitHub) 01b1cc2515aec2562e5e8cd3c88a60677a1acd2d680b289cf67fa493abe433d2 2 0
Suspicious Regsvr32 Execution From Remote Share Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0415bc3e4953b49601e59c9e77f268c8b8163cb32d777dc5a37b169f9fcbd8ca 2 1
Suspicious Set Value of MSDT in Registry (CVE-2022-30190) Sittikorn S Sigma Integrated Rule Set (GitHub) 08f4372e76fc0605c4e338fe71c656a918209c7ab03da84c96c5f8d99d4bc241 2 0
Suspicious Use of Procdump Florian Roth Sigma Integrated Rule Set (GitHub) bf45bfecf2446b7f2b7904bc35a7006ea9bfae3e8ba4d6ab35dfcb00095b0b9d 2 0
Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 413ab718402521225cd65e7866d07b849a38758c52a3bf913da2fcc4bce26ab3 2 2
UAC Bypass Using ChangePK and SLUI Christian Burkard Sigma Integrated Rule Set (GitHub) a334f66679d3e373f49f08113614e79457c624e8ef315085de12c285bc5d7d4e 2 1
UAC Bypass via Sdclt Omer Yampel, Christian Burkard (Nextron Systems) Sigma Integrated Rule Set (GitHub) 9e30ed5d0167ae542ae090b30e0049496a63c5c9c63bb37e80d62532640cfc6b 2 0
UMWorkerProcess Creating Unusual Child Process CVE-2021-26857 (via cmdline) SOC Prime Team, Microsoft SOC Prime Threat Detection Marketplace 777e78408dd5e81cb40b0dd4b18dc729cd882538beac8337067e6a2ceb940493 2 2
Unusual File Download From File Sharing Websites Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) f57e9a5165fe649d867e207c503dd53a05dbd5175c68be9a369174832afc8614 2 2
Unusual File Download from Direct IP Address Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) a2b6862e0b28e1527a68e771f4a09cc77cc168e10e6c8d978df736c414320a01 2 2
Use of VisualUiaVerifyNative.exe Christopher Peacock @SecurePeacock, SCYTHE @scythe_io Sigma Integrated Rule Set (GitHub) c2fb9169c48cfbf7abc02540d8fc5c9d887473aed872aed30dbd4f8a9ead5a5b 2 1
WMImplant Hack Tool NVISO Sigma Integrated Rule Set (GitHub) 6b93b7bce89874009dd0ecb10a52f610736bcb6d33fe425d9295732660f6b7ab 2 0
WSF/JSE/JS/VBA/VBE File Execution Michael Haag Sigma Integrated Rule Set (GitHub) 8b884f70bb47a8e06faf8f548fcfef77fe3802d22c310c4cdfa01f35cb030bac 2 0
Windows Credential Manager Access via VaultCmd frack113 Sigma Integrated Rule Set (GitHub) 3444e8af7fe049353761c697d9c300841002cb9979f0754558abb2baaa8c915f 2 0
Windows Kernel Debugger Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) bdfabe357d29db481ce92a1bf99197e1220f79336d0a6a891f56d430f607e756 2 1
Windows PowerShell Web Request James Pemberton / @4A616D6573 Sigma Integrated Rule Set (GitHub) 2637f98feb69311f94822998eb3c8b8d217e6c5767e071536ca54f9da830e236 2 0
Zip A Folder With PowerShell For Staging In Temp frack113 Sigma Integrated Rule Set (GitHub) f9da722f2b9be68744c84591d71fc78f53410669a0b7da802cb3abdb56d3fd72 2 2
Zip A Folder With PowerShell For Staging In Temp - PowerShell Module frack113 Sigma Integrated Rule Set (GitHub) deeb1a213004e4f328c59f035fe5bdbfe766ac3d8a0ea7f9a916c12bc145491f 2 2
APT 37 Ariel Millahuel SOC Prime Threat Detection Marketplace c53c2f741a37b554e1a5a16737f3c6f27a5818e8474ade69f599e8d18b6df51a 1 0
Add Port Monitor Persistence in Registry frack113 Sigma Integrated Rule Set (GitHub) 8dbe594a0f4eb93aed5bfffd0545b03cb0d8c91d229a169700c0d5a7b140795b 1 1
Add Windows Capability Via PowerShell Script Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) f0193a082ffec8bb49a0621541982fe0c6a2ba5f5b536f62789f83021ee4270a 1 1
Always Install Elevated MSI Spawned Cmd And Powershell Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community Sigma Integrated Rule Set (GitHub) 742d7b1dbef016ab3810ec50354e231948fa035c8cacfec6b18f3a8fba03c2dc 1 0
CACTUSTORCH Remote Thread Creation @SBousseaden (detection), Thomas Patzke (rule) Sigma Integrated Rule Set (GitHub) 7b0f6b7c0939954a4e8dd01dcda83d20044a57808d265a6697c3580fde333062 1 0
CL_LoadAssembly.ps1 Proxy Execution frack113 Sigma Integrated Rule Set (GitHub) aa273ed357d9327c9c8131f9175a347aa2c8c8fa545e8642b56404eb76668070 1 1
Cerber Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace 73c0a64c5562e339d22b6dd8487f58f08f817a078ee2d99fa508f2bcec9487d2 1 0
Check privilege of CMD via whoami Joe Security Joe Security Rule Set (GitHub) 07a05a43e0384cce9c41d6cb6ed256ebce6aea8c6455db044d755ece6063babe 1 0
CobaltStrike Process Injection Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community Sigma Integrated Rule Set (GitHub) a95251178853987552aca691c7ec1d2e31c91213e0e11f80fd3e7789a1234894 1 0
Command Line Execution with Suspicious URL and AppData Strings Florian Roth, Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) 0585dd5b67e1bced48ad1dc8f9e0b66fd4e44c6e7c14dd5b385950c97e15b768 1 0
Create Volume Shadow Copy with Powershell frack113 Sigma Integrated Rule Set (GitHub) ef1d2531cf3919c8ed1ffd678acc8325c41225368f4add8ce5d727f9d4f742ba 1 1
Credwiz util dropped by mshta for dll sideloading Joe Security Joe Security Rule Set (GitHub) 47b76425766ceb0d5f71f5b737ae4660dc4fcaa91295131395a542596953ef67 1 0
DarkRAT Botnet Ariel Millahuel SOC Prime Threat Detection Marketplace 5157203e484dbfa217f40f7089460a4c6713e54ef44ca66a31ec7d5c820f0d26 1 0
DarkSide Ransomware Pattern Florian Roth Sigma Integrated Rule Set (GitHub) 5c4ba608ec7db931a6491db14857b098a88caf78b2c28087f16fa4aeeb05c8d0 1 0
DirectorySearcher Powershell Exploitation frack113 Sigma Integrated Rule Set (GitHub) 59fea38f0030f37a8b1bcefb7450d7a94ba474f5e72db8b8f7a4850d643ad2e3 1 0
Disable Powershell Command History Ali Alwashali Sigma Integrated Rule Set (GitHub) 9bad9ab33b286bb06b80490c60a3b9a1136560cf838d47ba48b3384b762267e6 1 0
Download a File with IMEWDBLD.exe frack113 Sigma Integrated Rule Set (GitHub) 785fda7f769e06444f3d969a9e64bac3cb1625df98e533dffbb90df45425e748 1 0
Dumpert Process Dumper Florian Roth Sigma Integrated Rule Set (GitHub) 4f4552b72d1fdf1daa9803088eabda70a1a8259d5eae424fcbf3b7edae985b63 1 0
Exchange Exploitation Activity Florian Roth Sigma Integrated Rule Set (GitHub) a53120d1ec17fbf608c6da8cb88f544b76206e830dd4ec17155f718bf5851d0f 1 0
Exfiltration and Tunneling Tools Execution Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 6ba70df29bf2469a0e7931226da06a144c5e9044543a14e1fae2bcd6c17f9374 1 1
GatherNetworkInfo.vbs Script Usage blueteamer8699 Sigma Integrated Rule Set (GitHub) 93d3c8484d953299cdaafb696acdb7e33fd8a569cd8682a0d501a122f2b8290b 1 0
HackTool - SharpEvtMute Execution Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7f4ab47a48c30eefe0bd92c3fe92c7f2481803dfb5833689959c5f32bff77dc2 1 0
Hide User Account Via Special Accounts Reg Key Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) c5763f84925887a9d36054776ddf6d48e47d552ec2e7fed586026049488c127c 1 1
Highly Relevant Renamed Binary Matthew Green - @mgreen27, Florian Roth Sigma Integrated Rule Set (GitHub) 6a0e84509806d4477d42410fb267c817a01015e3dcc33e48330f8db0ba9709da 1 0
HybridConnectionManager Service Installation - Registry Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) 6ba69204045297b2467cffd2d3908dc1588e213dfeaf62bb11c1778c9d93dcf0 1 1
Internet Explorer DisableFirstRunCustomize Enabled Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b5977f01764dc3b0e2e3b7592943fc4bb6b4e55d5fcec607c905ea26d222e9c6 1 0
Invoke-Obfuscation STDIN+ Launcher - Powershell Jonathan Cheong, oscd.community Sigma Integrated Rule Set (GitHub) 8bc4688c4e1827de8ac2769dd693f5ee1d6a3dd731e0fa459a1d47788bc3ab77 1 0
LSA PPL Protection Disabled Via Reg.EXE Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 80855f8a9447aabc3c921b18396835e82ab35d2beb39b56f2d34d156ca2ac9ae 1 0
Local Accounts Discovery Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) ec63f6d5ea6cf1a23c7c491b28d6b350219d23a95ea95516ce0256730fb7912c 1 0
LockerGoga Ransomware Activity Vasiliy Burov, oscd.community Sigma Integrated Rule Set (GitHub) 0c0ba5aebd0db3facb25385b2dbdc2b2a34be391da1993bc8a02c689608fba16 1 0
MSBuild execute suspicous task Joe Security Joe Security Rule Set (GitHub) 850ce3b49e2fc441426c3b9ec59e195d417194b461fe480e76d2482bcd20112d 1 0
Malicious PE Execution by Microsoft Visual Studio Debugger Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community Sigma Integrated Rule Set (GitHub) 833d1e3036176fa960339790e9389d39187ba0c444aa4b1f1d3adc81c860b9fd 1 0
Maze Ransomware Florian Roth Sigma Integrated Rule Set (GitHub) d807dbfa78ad565695bdfaa5793858aa25a153091a49b554975f48182344c78f 1 0
Microsoft Office Product Spawning Windows Shell Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team Sigma Integrated Rule Set (GitHub) 6a6edfdea6536f74ea66bf73682ed52f4b86435793ed76ff38e3ab0523f029f5 1 0
Moriya Rootkit Bhabesh Raj Sigma Integrated Rule Set (GitHub) 4a9ddb920ad6eab5d240fd46b4a22a2839ea161414fab29fdcd567a468de9295 1 0
Mshta JavaScript Execution E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community Sigma Integrated Rule Set (GitHub) f6f3741fe71241687646386731e58cbb9eb5dd4b8db836bb8840c3d02e5462b8 1 0
NPPSpy Hacktool Usage Florian Roth Sigma Integrated Rule Set (GitHub) fe93afc27b2b53b9e4deb1b29d0172ddf97ab492beba618fda8529d8eb602bed 1 0
Nansh0u Campaign (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 904193bc621aaa8bd679e31840889e7e0ebdd3012ad80cd285a787efa9a21a1e 1 0
Node Process Executions Max Altgelt (Nextron Systems) Sigma Integrated Rule Set (GitHub) 9202f610baa020320fb0754246900aef3eb9d7cab948cd7896901c509b02cb91 1 1
PUA - Potential PE Metadata Tamper Using Rcedit Micah Babinski Sigma Integrated Rule Set (GitHub) 8eb59cf451fc1b4a57d9996082ad83751d5fe59d20e9b3562534ccf7fa0a07ab 1 0
Perl Inline Command Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) d7702078dd10096eb5abed05e061a8a1faec0e7904a86b6b39f6faaaa294190c 1 1
Permission Misconfiguration Reconnaissance Via Findstr.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) c26472b8ef978b2519ce5cb30b5d30baa08b0717a6302fcbfc81a2c8ebde884b 1 1
Phishing Pattern ISO in Archive Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2df698bbd801db84c12100296dbba0869a2e6936088abee3147315e5617f7fbf 1 0
Php Inline Command Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) beb929216e4b57c3b1275c3d5d5bf04fed77445512365bc0d3af736280b5b382 1 0
Possible InstallerFileTakeOver LPE CVE-2021-41379 Florian Roth Sigma Integrated Rule Set (GitHub) 1649fcc98b56dc9cfc742a4a6df24ac3e91123ac466268300afc87e3f91191e2 1 0
Potential Attachment Manager Settings Attachments Tamper Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ab75582abe82ab90071a874b2fc815cf2027c5505ce7f0b149210f67dd27dfbd 1 0
Potential COM Objects Download Cradles Usage - PS Script frack113 Sigma Integrated Rule Set (GitHub) 139dfd44d42316af195b126ba90bfe2e69202770b83f23cedc967bd558604186 1 0
Potential Credential Dumping Attempt Using New NetworkProvider - CLI Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4777339ddbbc4185feac4c036855d36de485c1178bdd82acf02e02b9b3792f27 1 0
Potential Persistence Via Security Descriptors - ScriptBlock Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1f7de9310570e85851b78387f389d4afad2aec4f21a751de564e4d9dbe8ef806 1 0
Potential Registry Persistence Attempt Via DbgManagedDebugger frack113 Sigma Integrated Rule Set (GitHub) 0764cda98bb00fbde3294e28d5bb3b95797a31d8931448c764caa0743451358f 1 1
Potential SAM Database Dump Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 80a403e95306ff656dab00a85d9565922c30f10b9cceccba105e76eedb357bc1 1 0
PowerShell Download from URL Florian Roth, oscd.community, Jonhnathan Ribeiro Sigma Integrated Rule Set (GitHub) 24c9049c81b149aa4537cce166e36f3697878dcdad3fab8b662889d154056d7c 1 0
PowerShell DownloadFile Florian Roth Sigma Integrated Rule Set (GitHub) f0282b9dc90a1761ed8cfb90b52bc5f53c2c8ccbff1ca29790e8d17c7eae56dd 1 0
PowerShell Logging Disabled Via Registry Key Tampering frack113 Sigma Integrated Rule Set (GitHub) e08c8016940ec5fbedc1d8b08fff3fb1c6bdf197e8fea3c4fbceaa55058f07a3 1 0
PowerShell Scripts Run by a Services oscd.community, Natalia Shornikova Sigma Integrated Rule Set (GitHub) 014598477a00db3dbeee84e541504e310712bfb7380fe0f6c18921580f829d4e 1 0
Powershell delayed execution via ping command Joe Security Joe Security Rule Set (GitHub) 9a4875b9a93f7ed6dd4f6259f58f0ff372f1351c267c6d112364a3064aeae82f 1 0
Powershell run code from registry Joe Security Joe Security Rule Set (GitHub) 09cf140e4816d8c5bcb37b98e996e455d8127cbccdf4287901654f824cf63f13 1 0
Query Registry Timur Zinniatullin, oscd.community Sigma Integrated Rule Set (GitHub) 218d6661cbefbe4342fb5e6f0aa14df5602a3a39691bb19b246644804e6d341f 1 0
RDP Registry Modification Roberto Rodriguez @Cyb3rWard0g Sigma Integrated Rule Set (GitHub) 7aaf54115e7c0d8450b858520101c04264b58e033da253ad20a672a00b52b5ae 1 0
RDP Sensitive Settings Changed Samir Bousseaden Sigma Integrated Rule Set (GitHub) c1a07dc6104bfa9dcd638f1c9f04504dafbbb28fdf3a4f36dc6af48802194787 1 0
Remote Access Tool - AnyDesk Piped Password Via CLI Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6e0d326cf1248be3c35ad4a980fd0b6fd00f190e2b6bac28494062e11f1d9db1 1 0
Rename system process and copy to suspicious location Joe Security Joe Security Rule Set (GitHub) ae5e05ff7a2f5d6e654578b73a1ddc50baeec856b0ab003ad6852c80beb8b068 1 0
Renamed PowerShell Florian Roth, frack113 Sigma Integrated Rule Set (GitHub) 52606fbb97633e0a2c2581ff33bcb2bb212da3c00b02cbf971e5a0aa2f7b4cab 1 0
Root Certificate Installed From Susp Locations Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 99ad87050a603d266b14f9d38b78913daa61c2b7dc6b1441427d022050ccc8b7 1 0
Rundll32 JS RunHTMLApplication Pattern Florian Roth Sigma Integrated Rule Set (GitHub) 343b001a9d0d8504e1dad1dec564de589c763ce6c3c86ccf9ad3ec5835a3e879 1 0
Sapphire Ransomware (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace af5ee1ff302412603f190ad74d459219970f99e1b5a92d952a2e953f522b38c3 1 0
Scarab Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace c3b33a6ba821d844c3bfc5a217489aca877dc9bc6c76c84e4d8cabd6a320bd7b 1 0
Sideloading Link.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) d12dc80661a49ab922f3ed3b488e8a49f6edf53b777c918dc2f0b905b20d9bbb 1 1
Suspicious Cmdl32 Execution frack113 Sigma Integrated Rule Set (GitHub) cf2baf60d63943d7200da28391b4e63298b2d186faf45b499b001ca84dc882ea 1 1
Suspicious Compression Tool Parameters Florian Roth, Samir Bousseaden Sigma Integrated Rule Set (GitHub) 9ffd116f512698b4f9b310ee5526625ddf70dc16d7e3a87e744f709c8b537b2e 1 0
Suspicious CustomShellHost Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 540a06a16bc10e1e472979a3ae3af251fd81638d7e2df1eca74f74a3c9bcdfae 1 0
Suspicious File Execution From Internet Hosted WebDav Share pH-T (Nextron Systems) Sigma Integrated Rule Set (GitHub) 9d307b7c423134f5ddcbc65c0c787b0ca177d16056abb95987cbefda5e9da1ed 1 0
Suspicious PowerShell Invocation Based on Parent Process Florian Roth Sigma Integrated Rule Set (GitHub) c089503ba0204ebcc3605f01ef3ba76dfff60846f2bad81faf9eae455e81921b 1 0
Suspicious Rundll32 Activity Invoking Sys File Florian Roth Sigma Integrated Rule Set (GitHub) f4b9a5aba26ac1d465f55970b8defeab4a4704def7889e6c296b0f33cd1fad27 1 0
Suspicious Rundll32 Invoking Inline VBScript Florian Roth Sigma Integrated Rule Set (GitHub) 40e3e97976c84f512b11ec485b8dc54ce731851327fe05beff6b567fdfe2b91b 1 0
Suspicious SYSTEM User Process Creation Florian Roth (rule), David ANDRE (additional keywords) Sigma Integrated Rule Set (GitHub) d0b906c9286d892a8434845afa7551135e37841bdace5aa7fdf1c6bd9a823c73 1 0
Suspicious Spool Service Child Process Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule) Sigma Integrated Rule Set (GitHub) 2445eef8bbfc5d52245783f3d3a39b67d2a9e863e057b9710358f473c4a0d9ed 1 0
Suspicious ZipExec Execution frack113 Sigma Integrated Rule Set (GitHub) 4299b17cc3fb6f5ed2bc90d612e461452723118f5b71a85231879dcf7c197ead 1 0
Sysinternals PsSuspend Execution Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a5499c523df320d4d17393e8439d7a17bdbe13b398428715aa85f865a9ac040e 1 0
Tap Driver Installation Daniil Yugoslavskiy, Ian Davis, oscd.community Sigma Integrated Rule Set (GitHub) 7bd4ba31d00dc2c285a409cd7939611accc6c2934992f8e9cd0ce8c32ad0c40c 1 1
Tap Installer Execution Daniil Yugoslavskiy, Ian Davis, oscd.community Sigma Integrated Rule Set (GitHub) 47fed78a8bb63a7dee467bd25acd7bbfb704d602012f1a2228eb56c9f6760b7a 1 1
Tycoon Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace a1c44f103e75c8295cdbb587af4bac07f2b77445d54c17a424e7dce924a981ce 1 0
Uncommon Child Process Spawned By Odbcconf.EXE Harjot Singh @cyb3rjy0t Sigma Integrated Rule Set (GitHub) 7e8cf2aa9c53d27e74ec5d758c244e7939c04f5252650030b441077572cfcbe2 1 0
Usage Of Malicious POORTRY Signed Driver Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b6bbc36542c77f8d058bdc271a081010f06acd3d3b84465a3ab065bc5723eb46 1 0
Using AppVLP To Circumvent ASR File Path Rule Sreeman Sigma Integrated Rule Set (GitHub) e95a64931dc936ea0b79a4d48a5cf5f247dc55a78f0cb754480de9f58dcd9ce2 1 0
VolumeShadowCopy Symlink Creation Via Mklink Teymur Kheirkhabarov, oscd.community Sigma Integrated Rule Set (GitHub) 3b5b0346a9d3b5b510bfd33a67662439c44419ada001c73160bdcc75d76b2d3b 1 1
Vulnerable AVAST Anti Rootkit Driver Load Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) e9c74d53713106fb02366cb62d020afa0660b87c13561de9c43553b46bcb0d06 1 0
WannaCry Ransomware Florian Roth (rule), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro Sigma Integrated Rule Set (GitHub) b8a9a3d755cac11238eb37aa06d27255714356075872c2e2e140acfb3e8ab8b0 1 0
Windows PowerShell Web Request James Pemberton / @4A616D6573 Sigma Integrated Rule Set (GitHub) 226bf9a98dfb94416c0f984ecfd7e566a55fd0efe2af4257055b1f1be1501377 1 0
Winrar Compressing Dump Files Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 751aa9f10bb034af3fd96ddfd10baf6ff799f92e0d2802249e1d957644c16591 1 0
Wmic Launch regsvr32 Joe Security Joe Security Rule Set (GitHub) 4bd4adb7096f2875c9d4780cebd4f8cc5d8f98ae072aa38aea08cb38ea623042 1 0
XORDump Use Florian Roth Sigma Integrated Rule Set (GitHub) 4abc044da118e9866fcf5bc9e7da198eb9947cb37219f7a3b35126a70e5dbb60 1 0
XSL Script Processing Timur Zinniatullin, oscd.community Sigma Integrated Rule Set (GitHub) e80db9df819552f83bb1bc542be2503390d7a47f3c26ea4db86797b530411d2c 1 0
rundll32 launch mshta and run script from internet Joe Security Joe Security Rule Set (GitHub) 529f06043b5ec852cb07ebe7880eaedad5dfcb5b041100dd85458b5ae5d43c1c 1 0
(SIGRED) CVE-2020-1350 DNS Remote Code Exploit [via HTTP/Proxy Logs] SOC Prime Team SOC Prime Threat Detection Marketplace 2c660e94b9dd36c78c57a2250c28533823a79106701103f8b2a662501cc2a379 0 0
(SIGRED) CVE-2020-1350 DNS Remote Code Exploit [via HTTP/Proxy Logs] SOC Prime Team SOC Prime Threat Detection Marketplace f45ee46c268733c28e2e456cd180b06976bca8e8fc0819a141d83778e7e6908b 0 0
A Security-Enabled Global Group Was Deleted Alexandr Yampolskyi, SOC Prime Sigma Integrated Rule Set (GitHub) bf3e787c52710338f2de4d60dc5d8c182f8014d194883f95053611e83cb06306 0 0
AADInternals PowerShell Cmdlets Execution - ProccessCreation Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b16d67523f0579e7a519f3728bfe10cb26d5526cc90e1b975b33341e51ba7854 0 0
AD Groups Or Users Enumeration Using PowerShell - PoshModule frack113 Sigma Integrated Rule Set (GitHub) a205be34057679bd055b1f3cb3fd18d4d31f2b0bd776288ccba6be10b5a818e0 0 0
AD Object WriteDAC Access Roberto Rodriguez @Cyb3rWard0g Sigma Integrated Rule Set (GitHub) 58cec962c267e019fa838d36e02695d7254409214165d3ac1363b49e8711131a 0 0
AD Privileged Users or Groups Reconnaissance Samir Bousseaden Sigma Integrated Rule Set (GitHub) 14cbefe2ccc7618cf17e2c9b92743b97fbf394277a7c17c58ebb3d942aa0a0fd 0 0
AD User Enumeration Maxime Thiebaut (@0xThiebaut) Sigma Integrated Rule Set (GitHub) 1a4024d9c095d28a1da18eb257926feded8ec7d7ea03762f6eab63b22a41721e 0 0
ADCS Certificate Template Configuration Vulnerability Orlinum , BlueDefenZer Sigma Integrated Rule Set (GitHub) 6d83e2c5d3c8dd6baf3897d1fcfef08e8e7745f60a8712ff35acc679d26b2db6 0 0
ADCS Certificate Template Configuration Vulnerability with Risky EKU Orlinum , BlueDefenZer Sigma Integrated Rule Set (GitHub) 145c680f84c610717ce0f64126642e2075071657c6b04077e58c08042f45b3dd 0 0
ADCSPwn Hack Tool Florian Roth Sigma Integrated Rule Set (GitHub) 945059b9924f612aec04c225310cee7009f0951805322568a62ebbefb71e63b0 0 0
ADFS Adapter Process Spawns (via cmdline) SOC Prime Team, Microsoft SOC Prime Threat Detection Marketplace 5b090817d20c98f190eec819a6c655b46a96324e58e3195a7f9c5e076fae6acb 0 0
ADFS Database Named Pipe Connection Roberto Rodriguez @Cyb3rWard0g Sigma Integrated Rule Set (GitHub) 4066789e2f52a62b211079b31d3fecc622acde6f0aab1c5127584333f498102c 0 0
ADSelfService Exploitation Tobias Michalski, Max Altgelt Sigma Integrated Rule Set (GitHub) adb52649fba655a7c618328f8a47138b0829cd7ee3ff23c599542d6103b29a92 0 0
AKO Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace bb075da0c850b7587ce9434aef02a948171b3545ebd0914125d7f5fe4fa590dd 0 0
APT 37 Ariel Millahuel SOC Prime Threat Detection Marketplace 2c9099b138fc55d5fdb1dce07ff366a656ee06b6ff8dd57d238ce00e61809e4e 0 0
APT PRIVATELOG Image Load Pattern Florian Roth Sigma Integrated Rule Set (GitHub) 396dd003148797c25c2cb63e8f2c6e0b3973ed37675f9c214f6a40a269c94131 0 0
APT User Agent Florian Roth, Markus Neis Sigma Integrated Rule Set (GitHub) e2b73603c9441b256be9bab1ccd758407a6d6470859f0f6cb838ff2eadc08006 0 0
APT29 Florian Roth Sigma Integrated Rule Set (GitHub) 976e44f1ea7fa22eaa455580b185aaa44b66676f51fe2219d84736dc8b997d3e 0 0
APT29 2018 Phishing Campaign CommandLine Indicators Florian Roth (Nextron Systems), @41thexplorer Sigma Integrated Rule Set (GitHub) 8f2c777b3dc85aa4c4663fc4de3a1d8bd273ea3506fd8481a76de1a0ffb2c6b4 0 0
APT29 2018 Phishing Campaign File Indicators @41thexplorer Sigma Integrated Rule Set (GitHub) 120841a228484caff2f660319625b672d8b268d649f0522d99d2a59c6c60f3b3 0 0
APT29 Google Update Service Install Thomas Patzke Sigma Integrated Rule Set (GitHub) 34f4cff056f24abe91bb29dc04a37ee746a4255101a21724b9ff28d79785247a 0 0
APT29 Google Update Service Install Thomas Patzke Sigma Integrated Rule Set (GitHub) e6247b8fe178e47b7e98f318da90608dc7aaf94fa99fe8e933f0a05b6498bdb4 0 0
APT40 Dropbox Tool User Agent Thomas Patzke Sigma Integrated Rule Set (GitHub) 572ac9027db60bae5654b7a9bc5d58e315db0810b08d8142c6db54f5e9e7ed24 0 0
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl Julia Fomina, oscd.community Sigma Integrated Rule Set (GitHub) 1d0bd876f993864d8a65e33ce45e152f3e49063e858a74169b77923d673483a8 0 0
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl Julia Fomina, oscd.community Sigma Integrated Rule Set (GitHub) 3ac562f761dce56ddce1ba6581aace41ae7b64cf2b9fd64295b4d9d43c26aa21 0 0
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl Julia Fomina, oscd.community Sigma Integrated Rule Set (GitHub) 3f84ecf411a71bd8d115a14303c8eac0baf1a7d57c27f81e99c78b2bff51f3c5 0 0
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl Julia Fomina, oscd.community Sigma Integrated Rule Set (GitHub) a84e26c881c97617cb1fd0ca767f6c6a6aef9dc2b22b7c5346b71449a2bb5bbc 0 0
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl Julia Fomina, oscd.community Sigma Integrated Rule Set (GitHub) d51a28a580a981a8c30c17c8985ac1d2bb9187f6dd4a55cf24b6f0c4cfc4c1f4 0 0
AWS Attached Malicious Lambda Layer Austin Songer Sigma Integrated Rule Set (GitHub) 0650616005d1cf25b22be420f69ef9f6271137f0d29697a56f3346877ffd37f8 0 0
AWS CloudTrail Important Change vitaliy0x1 Sigma Integrated Rule Set (GitHub) 4ef2dc5f6a20a823034706154832eb2b6caacbdd7526d5f72b41b87b661c18b9 0 0
AWS Config Disabling Channel/Recorder vitaliy0x1 Sigma Integrated Rule Set (GitHub) 1ca012603accfb34b464b1a408012216374690743be9979de051b99b95859e64 0 0
AWS EC2 Disable EBS Encryption Sittikorn S Sigma Integrated Rule Set (GitHub) 7cc31b5a6e3bb9dfe917930e9cff98c24e1477f39b93c17de733f572469e6746 0 0
AWS EC2 Download Userdata faloker Sigma Integrated Rule Set (GitHub) 52870d4d2756b6f3dde8066072d0df3fffc2208a2f13a11ad8dda6663fc6c12d 0 0
AWS EC2 Startup Shell Script Change faloker Sigma Integrated Rule Set (GitHub) 839d04c92bee18b43af5b78244d9a121efb5f27e4eebc842ae6c62a6c9e4b4f3 0 0
AWS EC2 VM Export Failure Diogo Braz Sigma Integrated Rule Set (GitHub) 510922d4a963b58fd4765ade7ccec8ec0d323813387711be4acd2577afcd50d5 0 0
AWS ECS Task Definition That Queries The Credential Endpoint Darin Smith Sigma Integrated Rule Set (GitHub) fc4d896380c961454c0e4e2298b4b42f7da55011348cdbec3ff9a56ba169b7a0 0 0
AWS EFS Fileshare Modified or Deleted Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 320cb5ec91c7d2c86ae27ee1a995b6a6fad692c4dd4716db1bddc009cef68f24 0 0
AWS EFS Fileshare Mount Modified or Deleted Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 557ffbb2dc96ead10718f0ce8e23abbd4520126cb5eb85b94b8f3d19e7ff6442 0 0
AWS EKS Cluster Created or Deleted Austin Songer Sigma Integrated Rule Set (GitHub) 633e9cc212d624837b46fa0381b5cb0f70e8a41bb219ae76550b862d16340cc1 0 0
AWS ElastiCache Security Group Created Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 82c9482509e59596843bf9c369a8a818e8248c0b8cd43217762ccd4546d5471e 0 0
AWS ElastiCache Security Group Modified or Deleted Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 886c07a825a6d3bd1d71d9238ecd1c47fe341acccd997dfca9df6d55d0ce1924 0 0
AWS Glue Development Endpoint Activity Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 535cda9e5250683c27341783e572cb03b5946e3a3930ed6e7ec71fb51411adc6 0 0
AWS GuardDuty Important Change faloker Sigma Integrated Rule Set (GitHub) 315526975358ad2d0fa1b5c44442eda68a1a8a523b0c894de935ec21708b66ab 0 0
AWS IAM Backdoor Users Keys faloker Sigma Integrated Rule Set (GitHub) 8ccb5db92041ee60e6fab70bedfd8e59fb916edc1226612863ffd244a78e453d 0 0
AWS Lambda Function Created or Invoked Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 3bf7f1b2fd7fe897356a4416891664478c352bcff4a562abbb4e29d59be58cad 0 0
AWS Macie Evasion Sittikorn S Sigma Integrated Rule Set (GitHub) 2caf12ef20a741df57dbd3af15b2018c587c7143520a8c077a4fb25e6dd8d75e 0 0
AWS RDS Master Password Change faloker Sigma Integrated Rule Set (GitHub) 5ce71a8dd2051186eb3bc827687f0161dcd856a3aa78737ffc610f6040d4166c 0 0
AWS Root Credentials vitaliy0x1 Sigma Integrated Rule Set (GitHub) 9a3dad9567f385fd12f06417761f939eaf3bc223c50daac4c997e6f50f690b0c 0 0
AWS Route 53 Domain Transfer Lock Disabled Elastic, Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 91af3f000e86d4d90b8e282d15d62993f5d5ca87f5375dee075988c20a572c22 0 0
AWS Route 53 Domain Transferred to Another Account Elastic, Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 79dd906114c4b150b65cf759c1c0d1d83d74766afc2feb337b08ee12e340a013 0 0
AWS S3 Data Management Tampering Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 14d9fe2befc885c1ed6ef46a55bc25f96407917c2385e324b8515b53a65d4b36 0 0
AWS STS AssumeRole Misuse Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) ab071ff54304ef514871c1e84cc731ded005fa0ccda3b66616554a41d88efa5e 0 0
AWS STS GetSessionToken Misuse Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 6994df5208389be2d74373903274ef547c51d5eed02015e25e143b1932795aef 0 0
AWS SecurityHub Findings Evasion Sittikorn S Sigma Integrated Rule Set (GitHub) 4e8ffcd6780ba56d1f2fa59f77317ebf859a2bf43c4be7719f81b9e03dd5c83d 0 0
AWS Suspicious SAML Activity Austin Songer Sigma Integrated Rule Set (GitHub) 173a650247a0aa08e4f7d1fbb1ab2154526c9f23e45d9bbfaab1313385bc23ac 0 0
AWS User Login Profile Was Modified toffeebr33k Sigma Integrated Rule Set (GitHub) 943930b25869dfad30c94e1eec864e899816b0d8b783767e1940cd6e0138d53c 0 0
Abusable Invoke-ATHRemoteFXvGPUDisablementCommand frack113 Sigma Integrated Rule Set (GitHub) 1ed460e3d1d675508d6550ae97b5b02fb7d2a41633cf104dd13ec5e3898fb4d8 0 0
Abusable Invoke-ATHRemoteFXvGPUDisablementCommand frack113 Sigma Integrated Rule Set (GitHub) 3f23a6c297c45d5a9d63d790d48c7f197bedbf2e2a62d28b67dec7a5a79e3196 0 0
Abusable Invoke-ATHRemoteFXvGPUDisablementCommand frack113 Sigma Integrated Rule Set (GitHub) aa47fee25ec87cbc15062b8d3f7e0acb8e38a64de307365aeec8cfbe02f12c8e 0 0
Abusable Invoke-ATHRemoteFXvGPUDisablementCommand frack113 Sigma Integrated Rule Set (GitHub) cb8936fcf36d16982575da13504782d400992adaac08cd26ba7845c4a4279dee 0 0
Abusable Invoke-ATHRemoteFXvGPUDisablementCommand frack113 Sigma Integrated Rule Set (GitHub) e78750ceeb186d5ea5bbcfb7f9ba741b6d8d9978b25212d97a252621b5af87cf 0 0
Abuse of Service Permissions to Hide Services Via Set-Service Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 44099719049070f990e032a6707550adf96a4eb8cdfdb10f3f37381678c18ccd 0 0
Abuse of Service Permissions to Hide Services Via Set-Service - PS Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) de5075c9666beb50edc776fa77e0615b1a9eee5a4ca639b4f9dadfa59d3ff764 0 0
Abused Debug Privilege by Arbitrary Parent Processes Semanur Guneysu @semanurtg, oscd.community Sigma Integrated Rule Set (GitHub) 9d455dd5e2e653e4afbec915a896019f9ca31a26fba6e2ba47b2a380780ed090 0 0
Abusing Azure Browser SSO Den Iuzvyk Sigma Integrated Rule Set (GitHub) 08cc3358fc66df84bafea574255088ebf9e6d0b56cc08317abc1bc31f94bab4b 0 0
Abusing Azure Browser SSO Den Iuzvyk SOC Prime Threat Detection Marketplace 3a3618c16315d61e28176798a3bb0420bd03a4732de42920b67e1c038effc0cc 0 0
Abusing Findstr for Defense Evasion Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative Sigma Integrated Rule Set (GitHub) 47d19568dce3538a5fd8f2ddbd8388f28dbd91d200dc9a91d8166cb957ace155 0 0
Abusing IEExec To Download Payloads Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b6040efbd7812c47c4f940044893d325b6ecd7c971385b21b9937eac64f2be90 0 0
Abusing Print Executable Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative Sigma Integrated Rule Set (GitHub) f96e4beae00ea6ddb52dd039e1527892e6c52cdc577988ec8e7730fd3b4cd9a7 0 0
Abusing Windows Telemetry For Persistence Sreeman Sigma Integrated Rule Set (GitHub) 215ab0e3f729db474131b73eb9950bd1decd0ab51c4d221a489c48004d3684e0 0 0
Abusing Windows Telemetry For Persistence Sreeman Sigma Integrated Rule Set (GitHub) 37508447092b61198dba6c2077887c7bd32c0396716095cb8e25593a16b30929 0 0
Abusing Windows Telemetry For Persistence - Registry Sreeman Sigma Integrated Rule Set (GitHub) 29f4b4ab96f93520895ca3d47ccf106f5a6fecadf74906d79a302829883cd114 0 0
Abusing Windows telemetry CompatTelRunner.exe(Audit Rule) Den Iuzvyk SOC Prime Threat Detection Marketplace 879510fbd52dc559762564e9dcee6b800c7ebe8846c237911775cf3f6d8d3cd9 0 0
Abusing Windows telemetry CompatTelRunner.exe(Sysmon Behavior) Den Iuzvyk SOC Prime Threat Detection Marketplace 18fa931666e2ae680fb1e0dcec0ba06dadd31ca6b52d9c619bb42fca8b7d7048 0 0
Access to ADMIN$ Share Florian Roth Sigma Integrated Rule Set (GitHub) 9b8b6fde8104ca3626c27c746a6e6e07d3f8c89905e685f9a05cb5f6f4edc379 0 0
Accesschk Usage After Privilege Escalation Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community Sigma Integrated Rule Set (GitHub) cd3d7a697c3c3677aa8da2c29a31ba2c427c6efdde2818deab23f432540c2193 0 0
Accessing Encrypted Credentials from Google Chrome Login Database frack113 Sigma Integrated Rule Set (GitHub) 51e8e5e690970ad68d784525926120f9a5afde96ebd20253e92cea0d07d54399 0 0
Accessing WinAPI in PowerShell for Credentials Dumping oscd.community, Natalia Shornikova Sigma Integrated Rule Set (GitHub) a683beca7674cad333d64a1ffe5ac971414b265f15a99e2f9d2c7ff967cc2fe2 0 0
Accessing WinAPI in PowerShell. Code Injection. Nikita Nazarov, oscd.community Sigma Integrated Rule Set (GitHub) 780e368b7c4c2665f3cbcc6184c03b9147726ab5239f4c01341cbc02775dafda 0 0
Account Created And Deleted Within A Close Time Frame Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton Sigma Integrated Rule Set (GitHub) 2a8a66e18503e4b2c237bf255508bf585dcac87a732728cbbcd511bdd1ff7358 0 0
Account Disabled or Blocked for Sign in Attempts Yochana Henderson, '@Yochana-H' Sigma Integrated Rule Set (GitHub) 82398e3143a953cf8bf5e000c262201372c12f810b17f62d62c997beddd83dff 0 0
Account Enumeration on AWS toffeebr33k Sigma Integrated Rule Set (GitHub) c2d1da71047d12f3e9e82a9b10ae31b7f37c8a89483a537c7049c6f83abd4cb0 0 0
Account Lockout AlertIQ Sigma Integrated Rule Set (GitHub) 1fe55c2a4747185813415dd5f4e3e497c4f1fc14e546ea9fe496f104438a0870 0 0
Account Tampering - Suspicious Failed Logon Reasons Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5589ef9f2fa4b4fc38d9e2634cb65b59cc829a86599e808fda10586d97094d5b 0 0
AcidBox Activity Den Iuzvyk SOC Prime Threat Detection Marketplace 7036d84b791069d70f9a381859bbfdaf7d37a698a47948b343a49a64ab652cce 0 0
Active Directory Database Snapshot Via ADExplorer Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 43d5cafc2ab99baaf01e5514d320d214797cff1d52b8ad3336702522499ae5c4 0 0
Active Directory Kerberos DLL Loaded Via Office Applications Antonlovesdnb Sigma Integrated Rule Set (GitHub) a2eee7390841d2713ce09ab45175d989688027fe2141938274b88a1dfe11b75c 0 0
Active Directory Parsing DLL Loaded Via Office Applications Antonlovesdnb Sigma Integrated Rule Set (GitHub) 6691a047173376a6c37e4a5a5a2ca36610041e928c2900eb7665491f798ff07e 0 0
Active Directory Replication from Non Machine Account Roberto Rodriguez @Cyb3rWard0g Sigma Integrated Rule Set (GitHub) db12e3072dac7d4a4e8f67282fbba19b12ef761b40ea26359caeec8051cefcd2 0 0
Active Directory Structure Export Via Csvde.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 695199c448d3b12a58e3752401bf07e8b2e547d6efe0e6149ba8d32748ca9966 0 0
Active Directory Structure Export Via Ldifde.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1c98f725d32ca2cd92f710aa97272bf68fc96ad54e57d2d1ca4444e8c95bc7cd 0 0
Active Directory User Backdoors @neu5ron Sigma Integrated Rule Set (GitHub) b0cd1653d4d8f0519ad99bcf040b2db9dd835f2df6daa9087c3e4e0a13beb319 0 0
Activity Performed by Terminated User Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 02b84310ae0b2a94f86e5369d7ec39f1a701aed32bc6728b909b446f929745c1 0 0
Activity Related to NTDS.dit Domain Hash Retrieval Florian Roth, Michael Haag Sigma Integrated Rule Set (GitHub) 36868991a76ff137e30dea5f77cced4da2254db444c41aa5f83cc7ba6b8fed48 0 0
Activity from Anonymous IP Addresses Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) efecf6d62b61312f886723f752a5c2ee5188a1bac0ee585294f03e08291d66b8 0 0
Activity from Infrequent Country Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) b9be4401ecfc9259f3e9b16e77573b0abed2cf0df93e746abce40e64e7cea7d4 0 0
Activity from Suspicious IP Addresses Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) c020af8eea2544a4fee04ed5143d696c1224c429b3a7871cc87b00b8d5c6cc8f 0 0
AdFind Usage Detection Janantha Marasinghe (https://github.com/blueteam0ps) Sigma Integrated Rule Set (GitHub) 1e88d14fe153e2c630eb9bdd7e321d7dc3d82670a31f1b36fc90cb6cbc362136 0 0
Add Debugger Entry To AeDebug For Persistence Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4d9fecbabddea65e4e2c196b0377faa0c800a01ae4b90d37503e8e59aca0844c 0 0
Add Debugger Entry To Hangs Key For Persistence Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4efb3c3203a4753b90d62be615436fbd2c115d65169098494cb312184a25c564 0 0
Add Insecure Download Source To Winget Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 69a1d86d6744047fb3da5e8d6658a659166715e107e7410172091d94fa935e4e 0 0
Add New Download Source To Winget Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4e66bd1dd5fee57f4ffe2ecf83a8243471e8dda3f75ccc5321ecf5e8bd5497d5 0 0
Add Potential Suspicious New Download Source To Winget Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2c1d246414b6774711179081e13ab823b6631ddb09a24e701d4c5878e6c8e37b 0 0
Add or Remove Computer from DC frack113 Sigma Integrated Rule Set (GitHub) 03210cc4570a84f3b468c8ee247567289fab5fdb4708b2818749e054268a37ae 0 0
Added Credentials to Existing Application Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' Sigma Integrated Rule Set (GitHub) 76dbf85ce46cb957c64f0c64aec7bdf0c8e0a69603d808ac7f3607c24dbe7616 0 0
Added Owner To Application Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' Sigma Integrated Rule Set (GitHub) 10d9f80cd3b66a46c4b6914ee1f2de614ca2643c9c8d42baa1215bd4b6cdf58f 0 0
Addition of Domain Trusts Thomas Patzke Sigma Integrated Rule Set (GitHub) f354ac1a99792012ceaef04ee732d816f1a2d9dee2e30492295b794811ed0e46 0 0
Addition of SID History to Active Directory Object Thomas Patzke, @atc_project (improvements) Sigma Integrated Rule Set (GitHub) d755877a01e9e73bfd7efde3363de1b7976022aad16110c5a4b2995a9f8604f2 0 0
Admin User Remote Logon juju4 Sigma Integrated Rule Set (GitHub) ba345e8f98204602e6652f9d41bec21ffed8e55fe558a98315201eec3993eefe 0 0
Advanced IP Scanner @ROxPinTeddy Sigma Integrated Rule Set (GitHub) 1e081f4ac10fa7ca5c1322255b4569d35b221c6b54e93ab5bd06bd891b690755 0 0
Advanced IP Scanner @ROxPinTeddy Sigma Integrated Rule Set (GitHub) 5fbf642a60f85b04f337ffeb9e377bf01fbe1ca8b9325ead915068bbec2ec06c 0 0
Advanced IP Scanner @ROxPinTeddy Sigma Integrated Rule Set (GitHub) 654d8ac633b50e98138bcb448019dd2fcb8c0384ae47263728f8b4fd84b8ba98 0 0
Advanced IP Scanner @ROxPinTeddy Sigma Integrated Rule Set (GitHub) 946d2bbdd10c544f6435f9b58d066f0d418f7bf78478848e179abdd8b5ec19b8 0 0
Advanced IP/Port Scanner Update Check Axel Olsson Sigma Integrated Rule Set (GitHub) e940965433a2cc92fc31e2792e173909b90acd90237f0586703e61591ef0a0d6 0 0
Adwind RAT / JRAT Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) 29d8efa02d53ac611d0b491bedaddbcd34e06668c553dd702b761afceca6d91c 0 0
Adwind RAT / JRAT Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) 40b38a30ad910fcc157b48f5890f35898cc92ae17559bda1764e434dfc37c1d4 0 0
Adwind RAT / JRAT Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) 6b74b152297fb45850c046a229ca64920ee9d973e33fdb61c3954a849baa882e 0 0
Adwind RAT / JRAT Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) 9a837c56dc81ffe30b3cbb46efbb5eaef5933b049b212514e9bb4380f12623c0 0 0
Adwind RAT / JRAT Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) e1d3ef681f53390850fb5bcd89f8d9388eebce85673fe6b8f766bd596275003d 0 0
Adwind RAT / JRAT - Registry Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) 2430fe9fd6e24946c8534bace62f59a139bd0871a15e594408a81134d905d1c3 0 0
AeDebugProtected Reg Key Persistance Den Iuzvyk SOC Prime Threat Detection Marketplace a3febaea6fa1eefc8642f7d848d0b2d4f2b70c0359fa395d9e8ee921c218b36d 0 0
AgentExecutor PowerShell Execution Nasreddine Bencherchali (Nextron Systems), memory-shards Sigma Integrated Rule Set (GitHub) bdfecd34e78aae683a75a4a2ea4412bf84cb14ba9fb9fac298724228723ad016 0 0
All Rules Have Been Deleted From The Windows Firewall Configuration frack113, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) de3c3a1f1f885a99189003961c40507ff50155075f1847683580c0391eca48c6 0 0
Allow RDP Remote Assistance Feature frack113 Sigma Integrated Rule Set (GitHub) 166df8c1d3e7f7c5a9fbd54dfc633614e8f49352354a3f5d9fe7ea04de73be78 0 0
Alternate PowerShell Hosts Roberto Rodriguez @Cyb3rWard0g Sigma Integrated Rule Set (GitHub) 5b34558f1c4d3065989635055533ba223585e99be44e2b0e319dfc6946c50ee2 0 0
Alternate PowerShell Hosts Roberto Rodriguez @Cyb3rWard0g Sigma Integrated Rule Set (GitHub) 66d3c05927db71e9d8760c5353ef8a161521b446c0b6cb8ea538a081d2d15e8f 0 0
Alternate PowerShell Hosts Roberto Rodriguez @Cyb3rWard0g Sigma Integrated Rule Set (GitHub) b98a87132b8f25c1b28f308d62a1f37edb6a16c239e5d98a314a15853193b18c 0 0
Alternate PowerShell Hosts - Image Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) 1ff53e9fd6749954464f3ac22171fc115796cbc09d5ac9331d6db4cad674287e 0 0
Alternate PowerShell Hosts Module Load Roberto Rodriguez @Cyb3rWard0g Sigma Integrated Rule Set (GitHub) 0b70b2266832f57d7fcd62d232b3b469d8788c9a97ee87dfac1147dbd08533a2 0 0
Alternate PowerShell Hosts Pipe Roberto Rodriguez @Cyb3rWard0g Sigma Integrated Rule Set (GitHub) ba100a757ed85b5b1b191f9aa12c8123ef59a9afd99c6cb8fdaeb4f7bd4e12fa 0 0
Amadey Botnet detection (TA505) Ariel Millahuel SOC Prime Threat Detection Marketplace 472362d8dcad8c26a75836b16e7f1e1fa272f614affc2dd864632b8a3af7e12f 0 0
Amadey Botnet detection (TA505) Ariel Millahuel SOC Prime Threat Detection Marketplace cec4465383805716c59e96f51fd252bb21a3cba08cb59dfe0e21d49eaaee228a 0 0
Amadey Botnet detection (TA505) Ariel Millahuel SOC Prime Threat Detection Marketplace dabd120c240b719397478da50d0bac817e3ab6b120221b5c78ba3d5e42143637 0 0
Amsi.DLL Load By Uncommon Process frack113 Sigma Integrated Rule Set (GitHub) 839b8da98cb18a93a4c803f0e372af5098133357d4e2c35fd9f75cd01bbd43b1 0 0
Anonymous User Changed Machine Password SOC Prime Team SOC Prime Threat Detection Marketplace 5262477d283c94c8a282e110700640abccc3d50d92a485af02adb2a0ed079358 0 0
Antivirus Exploitation Framework Detection Florian Roth (Nextron Systems), Arnim Rupp Sigma Integrated Rule Set (GitHub) b74dd119e6b8a4b8160d85ec696dd1b8f9d9990a6eebdc5abee1ce10d635d8fa 0 0
Antivirus Hacktool Detection Florian Roth (Nextron Systems), Arnim Rupp Sigma Integrated Rule Set (GitHub) c199a1ab724951efd7b45265fbdd55c15874411108f51d080ff79caf07509ed8 0 0
Antivirus Password Dumper Detection Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 26728f84df236571280d6d8d3ec2ef0250723676cf344e0e4b29b397901037d5 0 0
Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection Sittikorn S, Nuttakorn T, Tim Shelton Sigma Integrated Rule Set (GitHub) 22284a04af59d3dfb90caff89d34cb8f366f73553f1aa99101a46e88e4200b71 0 0
Antivirus Ransomware Detection Florian Roth Sigma Integrated Rule Set (GitHub) 8d8c06ae6c280fb5c26f506a8eadadc666e6b8a4b115fb8c68decf1202868f19 0 0
Antivirus Relevant File Paths Alerts Florian Roth, Arnim Rupp Sigma Integrated Rule Set (GitHub) a3fdf9ece7053d2030dc642bd2eb70cd4c3a3e45f7939313db5d59ae6fec42db 0 0
Antivirus Web Shell Detection Florian Roth, Arnim Rupp Sigma Integrated Rule Set (GitHub) 0abd8831aa5efdcfa40c619dadeb24d85fa74d097fa44e68d639accddb2a7e70 0 0
Anydesk Remote Access Software Service Installation Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a74b000fa65a105160edaf2cea082befdfd07389b3d81378fd43cd6abf3a94b0 0 0
Anydesk Temporary Artefact frack113 Sigma Integrated Rule Set (GitHub) e10fbca4d86522aeac83abdc331770c474bf85a4fbe87cff23642eb6a498969a 0 0
Apache Segmentation Fault Florian Roth Sigma Integrated Rule Set (GitHub) 723a6621f9b140b510c7f46523b33c69c2beb3f9e824516e07e5bb83aa5b0d26 0 0
Apache Spark Shell Command Injection - ProcessCreation Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 245d51be14a6aea8247e090ed8bccd7ff1343a69fe3e5ac425960f84c6c0d629 0 0
Apache Spark Shell Command Injection - Weblogs Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 6049b3cd09fadec41e58f1373307e089bec9fc104540bffcab8d389ffd26e28d 0 0
Apache Threading Error Florian Roth Sigma Integrated Rule Set (GitHub) 2210d9229d212ebd79a69712d72ae5590caccd7f8c47f91331c431e3394f87ce 0 0
App Granted Highly Privileged Permissions Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' Sigma Integrated Rule Set (GitHub) f5c2edfa4568095138a74e6d1258f67aacbb769134e9dbb212870a4a8de09873 0 0
App Granted Microsoft Permissions Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' Sigma Integrated Rule Set (GitHub) 2d29ecc9290d6afa03d733640acc3d0d220b0b393f7b2719ac33295f58c34e63 0 0
App Granted Privileged Delegated Or App Permissions Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' Sigma Integrated Rule Set (GitHub) 959c26d059b6b1c8acebab85f72c99215eee0aa0897c32c96524377b6f90e88a 0 0
App Permissions Granted For Other APIs Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' Sigma Integrated Rule Set (GitHub) a6bd215d292cb31faa9264f005c75200c428fc84f750306c85eb596505799c29 0 0
App Role Added Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' Sigma Integrated Rule Set (GitHub) 7b9cf1b24ba10b85109a309c8ec31d9cc0cb3bd010d2ee2c99bdb301b4a482fb 0 0
AppInstaller Attempts From URL by DNS frack113 Sigma Integrated Rule Set (GitHub) 8c20386ca2239562a26b808135071390e3abe7434cb251781a4656b1b4cf71e6 0 0
AppLocker Bypass via Regsvr32 Joe Security Joe Security Rule Set (GitHub) 2331619a69009fbe3cead24a909b7e9d42ffb14b71caa6d83ee04fce114b10eb 0 0
Application AppID Uri Configuration Changes Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' Sigma Integrated Rule Set (GitHub) 7bb4d1866297312fbaf22981a0884a00cd2b6cc0884294b995f8af22637b8c42 0 0
Application URI Configuration Changes Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' Sigma Integrated Rule Set (GitHub) 602740da70d3ff3d4654b32be683dfb1b49ad03a45553e1380a03ee918bc32a5 0 0
Application Uninstalled frack113 Sigma Integrated Rule Set (GitHub) c82edf1cc13cd1fb147ab2b58854576c3cdaad0a6d5b8b4fecbf68a08a1e742a 0 0
Application Using Device Code Authentication Flow Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' Sigma Integrated Rule Set (GitHub) 226c91fcc62837d3f1c04764f19be2a014d6d398a9af8c46e6ff6ef2d28fa6f5 0 0
Application Whitelisting Bypass via Bginfo Beyu Denis, oscd.community Sigma Integrated Rule Set (GitHub) 3a9675abeacca74d231073efcc4c362ddc755278240288e69cd34b2f2052cffc 0 0
Application Whitelisting Bypass via DLL Loaded by odbcconf.exe Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) e7b216cf44265cf356b012760fb4e0a6e04289ad81a1fe180bdb6b75c59729a0 0 0
Application Whitelisting Bypass via Dnx.exe Beyu Denis, oscd.community Sigma Integrated Rule Set (GitHub) da46c4a25c9b1a9291dd79b4539957b5ab71a6f2d75da9a90cfe48f74048a9a9 0 0
Application Whitelisting Bypass via Dxcap.exe Beyu Denis, oscd.community Sigma Integrated Rule Set (GitHub) 208e2a3b52a6d211e7c5b85a6b02a3d7b276c3d13e266917a5e033a43cc39d85 0 0
Application Whitelisting Bypass via PresentationHost.exe Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a92f0f2a0c39160d3e7f5d285e22beedb4e44ac9471c4675711203fabcbde79f 0 0
Applications That Are Using ROPC Authentication Flow Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' Sigma Integrated Rule Set (GitHub) 4edddc78b121c570c0cc0b8f9f34fda448ae47381dc23fa34d0e92afb84b8c56 0 0
Apt GTFOBin Abuse - Linux Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) fb264a5706df7ef97923f067f7e95a160f5ac20d0a2a45fdfd4358ea9601ac11 0 0
Arbitrary Binary Execution Using GUP Utility Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 3eb1798da734a1175f4064db9bcae87d8f1e0635b2a5bc95e9211a3604b8c76b 0 0
Arbitrary Shell Command Execution Via Settingcontent-Ms Sreeman Sigma Integrated Rule Set (GitHub) 1eb1f4796a2c05305c0e6fb961bac3fd02861464a7d6bc3d1a35461737101c81 0 0
Arcadyan Router Exploitations Bhabesh Raj Sigma Integrated Rule Set (GitHub) 0274ce4cedfe4942275222ff262ad3bc4a6d9230e7d8aa753adaf19da3b08ebe 0 0
Artrta Trojan (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace a460ea212cd93f867529a23e3064a9972f4e4b97bbba5f916b427016caaccd93 0 0
Aruba Network Service Potential DLL Sideloading Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5179445d911d6fbb8c94da23454267597f95beaeaa0630fb25175609654f9df3 0 0
Atera Agent Installation Bhabesh Raj Sigma Integrated Rule Set (GitHub) 25ae1d6038813be4c6c9dd482574522a1ec3ed0d01450b06b4673f94bef1aa71 0 0
Atlassian Bitbucket Command Injection Via Archive API Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1d886380a9f8a967bf006cabbc3bad64fdf82ea3450ec02b40bcc4c56ea33900 0 0
Atlassian Confluence CVE-2021-26084 Bhabesh Raj Sigma Integrated Rule Set (GitHub) 56b5ba6ff40bf2213da0f48c868136707e52c6ca8ac602bf6013d111e87ea977 0 0
Atlassian Confluence CVE-2022-26134 Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) da92610c4bf2acba31703944912a2d93f568fe02dea678aa4640ab4c80536cf3 0 0
Audio Capture Pawel Mazur Sigma Integrated Rule Set (GitHub) a4baf3681957e567a0dcabca982a74d6ef27a7f4371c330e743abb82201ce772 0 0
Audio Capture via PowerShell E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community Sigma Integrated Rule Set (GitHub) db002a5ffd8be8305184d197dda045b272ab439c9fc205a6ce985e3eb911df70 0 0
Audio Capture via SoundRecorder E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community Sigma Integrated Rule Set (GitHub) 9d251711b5a07fe8fb5fa341d8312ddbf0fd1b878b4a2d04e5feebb9885f1067 0 0
Audit CVE Event Florian Roth (Nextron Systems), Zach Mathis Sigma Integrated Rule Set (GitHub) 0c184188e5202d857b8ad97911db2679f4da47c8ff9498e869e2794f4b017d77 0 0
Auditing Configuration Changes on Linux Host Mikhail Larin, oscd.community Sigma Integrated Rule Set (GitHub) 08bdc4ce556bc84980d5552bb3426a25d11cc00dfa1d2ca4e727b609ad595cb6 0 0
Authentications To Important Apps Using Single Factor Authentication MikeDuddington, '@dudders1' Sigma Integrated Rule Set (GitHub) ab5210813ff4cfde3cc40f087e36f3bb3bf91424a6843fc7c43981fdd0d43638 0 0
Azorult and XMRigCC behavior Ariel Millahuel SOC Prime Threat Detection Marketplace 312ca94426dbc718ff09f09e6a43b898190a0aaf80ccbf8bbc1faeab30a2381d 0 0
Azorult and XMRigCC behavior Ariel Millahuel SOC Prime Threat Detection Marketplace 384c8a60fa80b800ebd740d52e56ddada550877252c4a1c54b09045cbd667d20 0 0
Azorult and XMRigCC behavior Ariel Millahuel SOC Prime Threat Detection Marketplace eb88bdebe1990354c146b84c3335fe5d42136e63848540b27845073f1f61fd4d 0 0
Azure AD Health Monitoring Agent Registry Keys Access Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC Sigma Integrated Rule Set (GitHub) 3bfeb8cfe94b16cd5b7f3c96024b95509404dee7b48144b2af8aa5ce4779de13 0 0
Azure AD Health Service Agents Registry Keys Access Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC Sigma Integrated Rule Set (GitHub) bbe20978cff2db9667ec877573b1107ee982ff6d743fa80d3cbf2b74771a384a 0 0
Azure AD Only Single Factor Authentication Required MikeDuddington, '@dudders1' Sigma Integrated Rule Set (GitHub) 6ec6f440b21637b3be0f9f60a20e5f6fe64fbe1d64418abc56449a7f4b56c642 0 0
Azure Active Directory Hybrid Health AD FS New Server Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC Sigma Integrated Rule Set (GitHub) 74b3585358a705f41a3c47ca255f4fdf226f80d67efcd8180692d9830cb0cddc 0 0
Azure Active Directory Hybrid Health AD FS Service Delete Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC Sigma Integrated Rule Set (GitHub) 79b78dee5286fabf9074e377bf3ad75038d8b8d9a5087f439b47b5c962e9a221 0 0
Azure Application Credential Modified Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 8249fead423c34843b4256f38229856595e4938b344740799a977671a8721be9 0 0
Azure Application Deleted Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 2ca197a0660bd80fe905e4ca00acc28acc9704a89ac7f82e3b3f99f91c2277bc 0 0
Azure Application Gateway Modified or Deleted Austin Songer Sigma Integrated Rule Set (GitHub) 99cfccf0f7621c216ab9a6e574118c7d08bd147ed24fdfc923c1bef27869dd2e 0 0
Azure Application Security Group Modified or Deleted Austin Songer Sigma Integrated Rule Set (GitHub) fee924d31493870a0e467e4c218281258f926382c4aed996e8c0ead7b0ffd1a1 0 0
Azure Container Registry Created or Deleted Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) a50193cebf131589afa2e4c5caf4bd66397e7f3e21a007d2dceb8a4a87b50ef2 0 0
Azure DNS Zone Modified or Deleted Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 43efaace741bf5e0b6dd18d8ac4cb9c2541ae1076b512e1bd743a3064a1e6bd6 0 0
Azure Device No Longer Managed or Compliant Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) c81341f9f6cd4cd0b87566645bb2e5b8bcbf96eb3f70ff9b56ee3abf4854e84d 0 0
Azure Device or Configuration Modified or Deleted Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 96deb162e4d7078c4d37c8e9299cd36a06bd4e7851a6667dbf6d26a2c982d28e 0 0
Azure Domain Federation Settings Modified Austin Songer Sigma Integrated Rule Set (GitHub) cbd7365e52f94f02a513846714617391f68f6912003a2eb9a0bbacf128259b5b 0 0
Azure Firewall Modified or Deleted Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) d45698a63ac241254c2e58e006dd45b43f164ffe1d0a192e9e4bfb69fd4d0a70 0 0
Azure Firewall Rule Collection Modified or Deleted Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 4e5d8654f38840ce7dfb65eccbb26e41cf2087dc48fd3290abc364e99ff6c223 0 0
Azure Firewall Rule Configuration Modified or Deleted Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 1966c63d48e697e85ff918b12a3933601905b8e608c26a39ba40d0802843a0a7 0 0
Azure Key Vault Modified or Deleted Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 8277b5e14bd624d703568cc728cc7573300e7157c6085a669f3c467b2b2dc91f 0 0
Azure Keyvault Key Modified or Deleted Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 9cd4b711206e3c37197e34894fa230459f8f3973e55a8393632f7b4f394a0757 0 0
Azure Keyvault Secrets Modified or Deleted Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) ca76365114071335144bbd16aa1ff1702fba9628d9339290e6ad1ca4038485b0 0 0
Azure Kubernetes Admission Controller Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 0f1f0dc48da97695cb6527b079cf0a309aa8c1f5330034f614fd18aa4a3a515d 0 0
Azure Kubernetes Cluster Created or Deleted Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) ad11168ee302b9e417ef34de10e853a070a2255f619a0f2e5ce8093efa4125ec 0 0
Azure Kubernetes CronJob Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 6f0756909a231b1de68feb41531a09f1b4aa980d4cb705216064bbf410c47f38 0 0
Azure Kubernetes Events Deleted Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 8d931927daa9fe944bfee3fe82c6723e2f8c8daab9a97f657c6b92eec3f60413 0 0
Azure Kubernetes Network Policy Change Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) fa73bc2ee70f7f45ebea4039e72ecbf9d55585af7633d7dc5ee78175f740c847 0 0
Azure Kubernetes Pods Deleted Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) e96da18a9f7bce0ba8dbf0ea74585858e37bdf438c3a3acf0e69ad4f611d8e00 0 0
Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) dcf545836738f2f84a8fe309688d2565d5db60f2003e89935f9c884ebde8b2f3 0 0
Azure Kubernetes Secret or Config Object Access Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) dcea1ea1d9ac39af65a5f28568f16c91f9dc4c647daea19dce016dd2466bdbd8 0 0
Azure Kubernetes Sensitive Role Access Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 23e30fa444fae1b172748e6a76e829b2b5bc2d747c0c6d679f757fbdb036198b 0 0
Azure Kubernetes Service Account Modified or Deleted Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 8a73631fa6f0fa5dff761b9c6c0a3ccf6a66f656636662418503f105d17d8993 0 0
Azure Network Firewall Policy Modified or Deleted Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 9899c52490520e420876ad5de364f9f956e993c38bb2bf6e26f7afad6560eee9 0 0
Azure Network Security Configuration Modified or Deleted Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) d91818569830303d0793ec9cdf27d592e581e957caa02141080927e8d4debd7d 0 0
Azure New CloudShell Created Austin Songer Sigma Integrated Rule Set (GitHub) 168e1c35ae1332d1fde280357d55f94bc3fa72d5f623c5075dc9e95719b508e0 0 0
Azure Owner Removed From Application or Service Principal Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) f497fa0952b0643d212e000f9beedfa0e38c340e126cc980759fd73aea3f074b 0 0
Azure Point-to-site VPN Modified or Deleted Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 4fe122fb2f4694c438ef09c62c437757ffff5f2960a1d78aa757b6f0cdab3541 0 0
Azure Service Principal Created Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 8e656dbfb37b60d6fef29014993072a6b8341f80dbd9d2ac0901fc71eb99b51f 0 0
Azure Service Principal Removed Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) ce41462e381c9c869284161db12adbbf2078003b7ce16266c923d3dc021e19a0 0 0
Azure Subscription Permission Elevation Via ActivityLogs Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 5fc1781e8afc3e000022771fd6678ed7bca2e931810fbe088916375a89ca353c 0 0
Azure Subscription Permission Elevation Via AuditLogs Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) f1133baebe520b6bb3b6aa03c2a199e4297f5620463593d2698f7317285f40a5 0 0
Azure Suppression Rule Created Austin Songer Sigma Integrated Rule Set (GitHub) c024312538da26140188fc0c40fb6fdffd2ba7813aeb307a59b8a7a73953de52 0 0
Azure Unusual Authentication Interruption Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) a2fbabf1ea8e4593cac5c7ebaa8163ce713e0ccc9f65c8c76fd6ac40c53ccab9 0 0
Azure VPN Connection Modified or Deleted Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) e0af5f08fe2a083cdd976c7c926cdeee6d6099cf28085ad65013d5a1c9041186 0 0
Azure Virtual Network Device Modified or Deleted Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) caa2f19474e04314ce3f38bdc4f01d4f9704a841377ea129171fc6d2ec5f08e0 0 0
Azure Virtual Network Modified or Deleted Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) daf496c3dedf483941f3040398af3b052a54fea0d8f410a2407b7284ae613dd4 0 0
BITS Transfer Job Download From Direct IP Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a494f742d330705777e5a96f912460606a8f2e2d14c3c3ff9bca30929187e494 0 0
BITS Transfer Job Download From File Sharing Domains Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) b0d0f79e71de73c83c9e3ae928a91ccccbfa9b757e0826a629f68a3eb8cd0650 0 0
BITS Transfer Job Download To Potential Suspicious Folder Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 884ffa23512e6ebd77b6b249b9116f23f70d19d19433ab61ad18becb188413bc 0 0
BITS Transfer Job Downloading File Potential Suspicious Extension frack113 Sigma Integrated Rule Set (GitHub) 07b062a873c1d9a27ed7c8b25d19df4ae39cb2bcae62b16c6c0b738e0e99e75a 0 0
BITS Transfer Job With Uncommon Or Suspicious Remote TLD Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 916d1dea4e8931fac50e75afcd2ff7c3c4eb8e68a32b9f83d9846a5baa1b41bb 0 0
BPFDoor Abnormal Process ID or Lock File Accessed Rafal Piasecki Sigma Integrated Rule Set (GitHub) ad15a7ca794c1a80d655c5a8c8ce1bd98703b84bcbe58e085c057ad49c6377c9 0 0
BPFtrace Unsafe Option Usage Andreas Hunkeler (@Karneades) Sigma Integrated Rule Set (GitHub) 14224ae90ba2bfd3b69a2ebda9756c88e99dccecb1580804850e6163e97657da 0 0
Baby Shark Activity Florian Roth Sigma Integrated Rule Set (GitHub) 7e3c417e8dc74e72824b44e745f3abcd085e70e309ca15d279f127de94331f6e 0 0
BabyShark Agent Pattern Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 65fc9733e96d5061d9c0158d5e935ee4fb89c6a3d5981ed3e2ee6eba8d7931bc 0 0
BackSwap Trojan detection Ariel Millahuel SOC Prime Threat Detection Marketplace e578b7532f350b30e9614eb1a524f8d25975960eeaa667becc98ac9cd99c42ee 0 0
Backup Catalog Deleted Florian Roth (rule), Tom U. @c_APT_ure (collection) Sigma Integrated Rule Set (GitHub) db25081a26915f454c9f9fc4dd73865d15100f764005bd361a8ec9eecee428d3 0 0
Backup Files Deleted frack113 Sigma Integrated Rule Set (GitHub) f15234ba5cc4c709633e015e497cce2bab7cd6f91b488b8c04ecfd5651e68749 0 0
Bad Opsec Powershell Code Artifacts ok @securonix invrep_de, oscd.community Sigma Integrated Rule Set (GitHub) c5b3ab9b3a0221a66b1da487bf7bd851b4f9cf0a8e2b7b22e659e5fd42b40815 0 0
Banload Trojan Detection Ariel Millahuel SOC Prime Threat Detection Marketplace 4c21f3c713476df5631f5741b8b322c195fdd1759bd4220138d6e4d100c43b59 0 0
Banload Trojan Detection Ariel Millahuel SOC Prime Threat Detection Marketplace cf78d5c37f3b09e94b3500edde1baaf99114e6503c98d1cedbf58f67f4e2b1de 0 0
Banload Trojan Detection Ariel Millahuel SOC Prime Threat Detection Marketplace df75fb5e2add2e6674d7b5df931eb3ea32c98e61f6fcc4cb9e981b99fab72c52 0 0
Bash Interactive Shell @d4ns4n_ Sigma Integrated Rule Set (GitHub) f79f3c90ed2814f8c1329307fde553431e9978c1fb579ef0824abb01a64310bf 0 0
Binary Padding Igor Fits, Mikhail Larin, oscd.community Sigma Integrated Rule Set (GitHub) 02cb79a02d071bcc40631d144c5a778d3326e0d2226089538e755f27dfac2048 0 0
Binary Padding Igor Fits, oscd.community Sigma Integrated Rule Set (GitHub) 3fbac61acf4870c524599db45e1b2dfc09b3058a0096d5fb5b9f1cbc7cde4fee 0 0
Bitlocker Key Retrieval Michael Epping, '@mepples21' Sigma Integrated Rule Set (GitHub) 7b3b2c6da15ef5621daef26ebb3baabf8a365d507916d900ab1eb197769c414b 0 0
Bitsadmin to Uncommon IP Server Address Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5a7b58d1d0d85ecf23dadf094755b9ec6fb8f853ee15f4f3959216ad963771b6 0 0
Bitsadmin to Uncommon TLD Florian Roth (Nextron Systems), Tim Shelton Sigma Integrated Rule Set (GitHub) 2e6f9336c9aa7e0fb900844db203acd64f2e49c46053557f76e819509277e0b2 0 0
Black Kingdom Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace 7b246ccd83dc04be953170d86f9c74b4e9d46071fbc612523b2b7b5564ea248e 0 0
BlackWater Malware (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 39cd8a4762fefe23e71b4a9c925150241a4c887c22e6c33561f972f394454f55 0 0
Blackout Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace 85ed357648ddf115b4b4d1596a36cdf430f132c7262701da1960f5d9c685d48d 0 0
Blackout Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace b5d26570d88e55e6f8513514b34cb8ae7122dfac66a407ee89e3136500fcec9b 0 0
Blackout Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace e10ed3279956a72f0ea14fe2fcfa974f8619f90a357e53fe89511819a764c36f 0 0
Bladabindi backdoor Ariel Millahuel SOC Prime Threat Detection Marketplace acbedd0b4dd2d93744542676c9afdfcf6f0f313229b26f137a2d979893bec5ff 0 0
Block Load Of Revoked Driver Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b6a678b271d158987968faddcf4e07f864b2080c9ff19677921e776403be400e 0 0
Bloodhound and Sharphound Hack Tool Florian Roth Sigma Integrated Rule Set (GitHub) cfc47087b4c2d98cee5d80b1383b55212d8fe298ebc880e15c894f55123fa95a 0 0
Blue Mockingbird Trent Liffick (@tliffick) Sigma Integrated Rule Set (GitHub) 0cb9e146271e0c9ad794c98863e0e6d9c6ca19471bfea205eee4a276fecbd69d 0 0
Blue Mockingbird Trent Liffick (@tliffick) Sigma Integrated Rule Set (GitHub) 8f6a9e9bbcb601d1bc09093f383e8d8f1f7f09bf7d7e69843c14a7cd880ee0c1 0 0
Blue Mockingbird Trent Liffick (@tliffick) Sigma Integrated Rule Set (GitHub) d0b6ca563c74d796de2ac3b8200508b7ea05a9ba9533d0d455ec1f717dd0b8d5 0 0
Blue Mockingbird Trent Liffick (@tliffick) Sigma Integrated Rule Set (GitHub) f1ab359e7200763d0ebd605b4d6c074a821679006372360c1fef073501822e2b 0 0
Blue Mockingbird Trent Liffick (@tliffick) Sigma Integrated Rule Set (GitHub) f723401b33927cfc6f265fefe66ce2982144e1ddeb991a3b47302b70b730b91a 0 0
Blue Mockingbird Trent Liffick (@tliffick) Sigma Integrated Rule Set (GitHub) fb9f6bbd034578721056b64fb7a34b4e2726da17d1cbf5711dced3ab7cd005c7 0 0
BlueMashroom DLL Load Florian Roth Sigma Integrated Rule Set (GitHub) fa6fe737f5145762e909801e31b442ca6e73fb112f26179762cd60b5c64a4867 0 0
Bpfdoor TCP Ports Redirect Rafal Piasecki Sigma Integrated Rule Set (GitHub) e48afde2372557d77514edca83b126212c3f48b0bf0e38f4a35cf2ae0ed2af33 0 0
Brute Force Aleksandr Akhremchik, oscd.community Sigma Integrated Rule Set (GitHub) 4307719a67c4c9c1343c12fa7fbdb91107ce614a895545a9b2de04426298134a 0 0
Buer Loader (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 6327206ca6b0ae94eb02e02c0eda55e26020672bad83ed8831fcdc84f2c0f3ff 0 0
Buffer Overflow Attempts Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) ad1714ed24aec2fa28551a247a666369e496ada2acb48b02b3b266083d75e6b1 0 0
Bulk Deletion Changes To Privileged Account Permissions Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' Sigma Integrated Rule Set (GitHub) 5f36d7e3b3bc9590aa6a129e7e3db4fb78f2245031d5a0111add67b2dc8371b5 0 0
Bumblebee Remote Thread Creation Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) c8f014ee43cb3fab9f235f104d16cf3641236cd69f3975b08abac22e75458d45 0 0
Bunitu Trojan Ariel Millahuel SOC Prime Threat Detection Marketplace 3a8e7baeffec67b69220da8b8d25bcae45e047937d0f2f833052ef5ea532aa9a 0 0
Bypass UAC Using SilentCleanup Task frack113 Sigma Integrated Rule Set (GitHub) 09bd87cd156913fd5b64ab548f700258c49833a235b205c8494f05634670d8d9 0 0
Bypass UAC via CMSTP E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community Sigma Integrated Rule Set (GitHub) ae5debad574fb4590d5efc9d2e3614bb603a5670f3f9f926a42d2ecbf0de0291 0 0
Bypass UAC via Fodhelper.exe E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community Sigma Integrated Rule Set (GitHub) 4793e3844bd4ee212795ee4a6bf167b869d51840732845bf0d2aa41f7481e6d7 0 0
Bypass UAC via WSReset.exe E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community Sigma Integrated Rule Set (GitHub) ced1e1a1282b5d51ede1ac7a7dcc08496c538aeeb8bc6ecc1f72af56cd773d04 0 0
CA Policy Removed by Non Approved Actor Corissa Koopmans, '@corissalea' Sigma Integrated Rule Set (GitHub) 4b21e17c3224a50fbfa8db57e0c47405a95b42de6c2d13284a025f958c59cda8 0 0
CA Policy Updated by Non Approved Actor Corissa Koopmans, '@corissalea' Sigma Integrated Rule Set (GitHub) e97a3f03c9bdcda96062b2a4766cd34e555d12f3df4a36c6f2fd409dd05b29e9 0 0
CARROTBAT Malware detection Ariel Millahuel SOC Prime Threat Detection Marketplace 793159445715fc7a8b862f94666ae175cf0a3f6ab66c76e3af31ac86638fa859 0 0
CLR DLL Loaded Via Office Applications Antonlovesdnb Sigma Integrated Rule Set (GitHub) 6362c65a14d81807ed78ab9e2fa99fbb546c067d39b3b63846c820e5c401e2e3 0 0
CLR DLL Loaded Via Scripting Applications omkar72, oscd.community Sigma Integrated Rule Set (GitHub) 5c2eb7356281203a2556ea40a71892ba7a369c46d5f2fc4574a427ac968c097c 0 0
CL_Mutexverifiers.ps1 Proxy Execution oscd.community, Natalia Shornikova, frack113 Sigma Integrated Rule Set (GitHub) d4793fdc170cfc0019f263c5dbc49df48f39d366293c6a9ae195061e90baf017 0 0
CMSTP Execution Nik Seetharaman Sigma Integrated Rule Set (GitHub) 65ffc0ddb80d953bb500276c61b57ba48cb45df5128bb8264ab47e7f48b2c9ec 0 0
CMSTP Execution Nik Seetharaman Sigma Integrated Rule Set (GitHub) ba18b1afcbf41aa13fd2cd7dc8e323b09854c6f046b4a98d07c2ea5d751d7584 0 0
CMSTP Execution Nik Seetharaman Sigma Integrated Rule Set (GitHub) fcd2fd95fad355c5e2d783abef0cb21f5fcc96e6ed5e0637f465bb7e75cf9342 0 0
CMSTP Execution Process Access Nik Seetharaman Sigma Integrated Rule Set (GitHub) 87af8c0b574ec328882da2ed6ae28880f2577cf0bbe165ae6e19d50475c6d86a 0 0
COM DLL Loaded Via Microsoft Office Product (via sysmon) SOC Prime Team SOC Prime Threat Detection Marketplace 8f3c9743049559fb0309f2478f6d6c65e7de8ef0a27373e4c584779e3276979c 0 0
COM Hijack via Sdclt Omkar Gudhate Sigma Integrated Rule Set (GitHub) ab8743ded66b586929aa13e45ceb037d6d8b0070893c7f23eb993baabe393a9d 0 0
COMPlus_ETWEnabled Command Line Arguments Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) 37c4f090dee0ead128c75a30b117563fd3376ddf2e4b622311b167c9a3b1ba18 0 0
COMPlus_ETWEnabled Registry Modification Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) 35fa58d3974ddf4be72ca9c5273ff5dfde7de065d8b27e4baef1189a9c10014d 0 0
COMPlus_ETWEnabled Registry Modification Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) cc1b63adcbcba57ac6edb7913c2741cb0bee32fe4301f250ee4087ba643a654f 0 0
CVE-2010-5278 Exploitation Attempt Subhash Popuri (@pbssubhash) Sigma Integrated Rule Set (GitHub) d934f98bfa1d3842f51f86448d12eaa5d7ae665d51986c839307e4494210607e 0 0
CVE-2020-0688 Exchange Exploitation via Web Log Florian Roth Sigma Integrated Rule Set (GitHub) 00d02232ebab9d4ccdb763022a32fda3d58da65c29159ed6992ba07072196b09 0 0
CVE-2020-0688 Exploitation Attempt NVISO Sigma Integrated Rule Set (GitHub) 5bbc9c67b6f5cb0d9b567b095ac079935288aace38c952feeefe24cca8db2fbf 0 0
CVE-2020-0688 Exploitation via Eventlog Florian Roth, wagga Sigma Integrated Rule Set (GitHub) b8583b9acaa360ecfe76d00ff9d352cbdf6d3107d975a243b3ffb45ea03c67e9 0 0
CVE-2020-10148 SolarWinds Orion API Auth Bypass Bhabesh Raj Sigma Integrated Rule Set (GitHub) b8a891b94f9eaba11d1c04c2500b004dcd5a7de6f8e0722ef3d08f910741c37e 0 0
CVE-2020-1350 DNS Remote Code Exploit [SIGRED] (via DNS) SOC Prime Team SOC Prime Threat Detection Marketplace 332d13dcb0a4e1a6c422484f6927e7408031f7270166ea37cf7f557c68ec5efa 0 0
CVE-2020-1350 DNS Remote Code Exploit [SIGRED] (via DNS) SOC Prime Team SOC Prime Threat Detection Marketplace 5cf068578d60f0e62a85062e3f528e2e675df78e1d1b2324b93218b97404a4bd 0 0
CVE-2020-1350 DNS Remote Code Exploit [SIGRED] (via cmdline) SOC Prime Team SOC Prime Threat Detection Marketplace 241626240096e85dd40e071e886b505b28444c8f3af6df03ef5c13b9d9776cda 0 0
CVE-2020-1350 DNS Remote Code Exploit [SIGRED] (via cmdline) SOC Prime Team SOC Prime Threat Detection Marketplace bd554d600bee5054372f731217934ed318c54147855183a261c54405ef43c54a 0 0
CVE-2020-5902 F5 BIG-IP Exploitation Attempt Florian Roth Sigma Integrated Rule Set (GitHub) 28e45cf616425b3c243efdcab379f55c65b9c0717203ffc48f3c3f124c310ff5 0 0
CVE-2021-1675 Print Spooler Exploitation Florian Roth Sigma Integrated Rule Set (GitHub) d7d444c9a70f46cddde00a1fd7df0120fbe71489ab597d307121ebaa8d8fabf6 0 0
CVE-2021-1675 Print Spooler Exploitation Filename Pattern Florian Roth Sigma Integrated Rule Set (GitHub) 873bf5dd3d347e031a1a45c3c7da75768415ed8da25fe6136b24881f29b6ba3b 0 0
CVE-2021-1675 Print Spooler Exploitation IPC Access INIT_6 Sigma Integrated Rule Set (GitHub) f011655155a4809262d5b5b289c20c070c7a7dec29d95846c91f3e39396d8bcc 0 0
CVE-2021-21972 VSphere Exploitation Bhabesh Raj Sigma Integrated Rule Set (GitHub) 2215493140650ea52f95acdf1c79355498c6a798bd8ab94a6943d450e765fd0c 0 0
CVE-2021-21978 Exploitation Attempt Bhabesh Raj Sigma Integrated Rule Set (GitHub) 82d6ddf5b00dd27b2c72d0ff170f126fdfad3155a287a936bd9d6075a8f8d944 0 0
CVE-2021-26858 Exchange Exploitation Bhabesh Raj Sigma Integrated Rule Set (GitHub) bea74b1863b1262ffbfa6ffd29da720d86bdcd7ad6ea4a27a2da1c563fcb5093 0 0
CVE-2021-3156 Exploitation Attempt Bhabesh Raj Sigma Integrated Rule Set (GitHub) 236292ff7ca8a69ab14291cb8d62c04d3b02986279a40bf5a30c9345804f78bc 0 0
CVE-2021-3156 Exploitation Attempt Bhabesh Raj Sigma Integrated Rule Set (GitHub) 5d4f849169f7cbe8f891d2622b175e4a42e41f434ea0540e841504b3b7de6e41 0 0
CVE-2021-3156 Exploitation Attempt Bhabesh Raj Sigma Integrated Rule Set (GitHub) 908809e40074898d7b460586768c977b2a700582c38d0355eb3f7e823d8d2c59 0 0
CVE-2021-3156 Exploitation Attempt Bhabesh Raj Sigma Integrated Rule Set (GitHub) ab3709539b01cbfabb623bf86f278fcfc6c5bb5e735e7b13392f184bd6bfbfc6 0 0
CVE-2021-3156 Exploitation Attempt Bhabesh Raj Sigma Integrated Rule Set (GitHub) daa2b8c9a016f7a9553030afbe735cc198ea85e381594ee1f438d0c54496b152 0 0
CVE-2021-31979 CVE-2021-33771 Exploits Sittikorn S, frack113 Sigma Integrated Rule Set (GitHub) 3fc8cf89558a3ec50308aea72b7745ae0f219f9882cda378f1cbf0487a7a3e32 0 0
CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum Sittikorn S Sigma Integrated Rule Set (GitHub) 70390bef07d59937cec0216e008ce815799b4c22a5e260a684ed6bfac4fdcd1c 0 0
CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum Sittikorn S Sigma Integrated Rule Set (GitHub) 9c20b726dcc3e2be564bb8c45c1c3372d7051d5cf3ff87aa65115c110cb62f4b 0 0
CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum Sittikorn S Sigma Integrated Rule Set (GitHub) a5aa00b412cd8e83e52f741ce80dafabe03f640d00ccf9f43a9c610344a8627c 0 0
CVE-2021-33766 Exchange ProxyToken Exploitation Florian Roth, Max Altgelt, Christian Burkard Sigma Integrated Rule Set (GitHub) 8f5525eb13728c689fc0e016fae75537d736213235bcab835284983e3ec2e37a 0 0
CVE-2021-40444 Process Pattern @neonprimetime, Florian Roth Sigma Integrated Rule Set (GitHub) f438a85d4d0729d23171fa1823ccdb8541fc46f2e71ea2827ad42bc7f373a360 0 0
CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit Sittikorn S, Nuttakorn Tungpoonsup Sigma Integrated Rule Set (GitHub) 0c9b01c970160550c39d032237474fe010d45a8b283b53084a214bb65abf5fae 0 0
CVE-2021-41773 Exploitation Attempt daffainfo, Florian Roth Sigma Integrated Rule Set (GitHub) 785c77adf74a5ac52d0c7c196fb79ad631311bdc96913b8d2e2b6f6486c36578 0 0
CVE-2021-44077 POC Default Dropped File Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 3ad3f26b92d2442c828898d8d576b108116639952e23e140655f058b6a03601b 0 0
CVE-2022-24527 Microsoft Connected Cache LPE Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 39809f574bd56b1dea5fc43fa0766a4e242b3f02d25f4cc138a9d34f850e3927 0 0
CVE-2022-31656 VMware Workspace ONE Access Auth Bypass Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1cf59ae9ff5a081bc97dec79c05c8f01b9f6ba7f71e907200e83ab7d5eec3e0e 0 0
CVE-2022-31659 VMware Workspace ONE Access RCE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) bfae7dd5de2cc1be11a85762c9a4e9dcc75b72cc64c865a8c1aa30886b53cb3f 0 0
CVE-2023-23397 Exploitation Attempt Robert Lee @quantum_cookie Sigma Integrated Rule Set (GitHub) d03d6ef87c35d045be74c0b4e83fdf1d82094e9e8e7dc4dd0b3a991e1183c794 0 0
Capabilities Discovery - Linux Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) c7d7a76816d1701b70058175cd64c9141dd713d3f50d5f0d656227b1e6b3b530 0 0
Capture Credentials with Rpcping.exe Julia Fomina, oscd.community Sigma Integrated Rule Set (GitHub) 15be2ea21971f32bb037bc7f681259a4f9e1989cf78ab9a1dd5f8efe68cfcdbb 0 0
Capture a Network Trace with netsh.exe Kutepov Anton, oscd.community Sigma Integrated Rule Set (GitHub) ed43493e84bcb41bf4a6e8d03279fa79baffdfa16300655622641d8b9754d344 0 0
Cerber Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace 064b8f335c5dad53244cfd14a7c51a8fd536dc8c86741bd6699e06ffdc7563a1 0 0
Cerber Ransomware Ariel Millahuel SOC Prime Threat Detection Marketplace 509dbbd043383b28efe214cbd5f61869746cda8dd2069a844d35af2ad5c12e71 0 0
Certificate Exported From Local Certificate Store Zach Mathis Sigma Integrated Rule Set (GitHub) 8c89cbee7e29ba90d3d255c084d1cd2d894d8554bc8c6a0e23f848fa0cedcc1e 0 0
Certificate Exported Via PowerShell Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5d6cbfca798cb6cc7bd8029cf8dda1f2096f0f7f9a422bdde483cdc370a4ab12 0 0
Certificate Private Key Acquired Zach Mathis Sigma Integrated Rule Set (GitHub) beec2af2d4d83b34085ae8f8046960cbe62957a2b2161262398ec726f4582d69 0 0
Certificate Request Export to Exchange Webserver Max Altgelt Sigma Integrated Rule Set (GitHub) 9ec2157972ed064f3fd9dc25d8dd71195ab84c7747a3c17923cb09230442d76b 0 0
Certutil Encode Florian Roth, Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) 1b6510b58b9f16b947f9e665c0a3f3902f2d51f54d01596eb9545d8fd6631aa1 0 0
Chafer Activity Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 01364fb1c5ccb780456530afa742fccc7c5de42d1cbac829fd6f4c435888f499 0 0
Chafer Activity Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 173b1203b0d58ac13e3b93542a1017cf3769eb4ba1be56bb4bc926e53578dc74 0 0
Chafer Activity Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 1d13c62f756a81c5138fc3c57236cc1ec96910a5b90687e628170734dae53640 0 0
Chafer Activity Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 1f40062e963356a7f04535a0f3fb4eec269440ca226f367f7b8bab940022cac4 0 0
Chafer Activity Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 353ed25aa9f2dfe8e0a56f2a3321d579ce4e7e8d20563769e0f02ff01ac06c3a 0 0
Chafer Activity Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 4207cea59e80ca7ec1b55f3bd2cfae0e47398daf8485c73feabf38a1484ac532 0 0
Chafer Activity Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 5a93f630933a2040c4795df341b70fd08f3b7f1730c331cb6e025d13fe3d7d30 0 0
Chafer Activity Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 6d4dbcdef02bddd827d8a0739ad5f31dc3844674ae32cf4be9de19c3e4202940 0 0
Chafer Activity Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) b1eb7ac5e07136335fc21860603d89c40eb6488824477f00827b6749b15c1217 0 0
Chafer Activity Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) fed33455c8438e9a672de5f0fc2f48651ff0449b0427f5747e2b98db25e3088f 0 0
Chafer Malware URL Pattern Florian Roth Sigma Integrated Rule Set (GitHub) cadeba64d91814a5bec0863ecd58722639024a5eb3b5f8e1059bf7ac84765c9f 0 0
Change Default File Association Timur Zinniatullin, oscd.community Sigma Integrated Rule Set (GitHub) 6143134666e4626abac4d906c673c60d7fdb48a48b44f2817af790432cae836f 0 0
Change User Account Associated with the FAX Service frack113 Sigma Integrated Rule Set (GitHub) 26eb124f6709979c69bbb0025f3a401c81cde2ba2f83098c32504f896490fc2d 0 0
Change the Fax Dll frack113 Sigma Integrated Rule Set (GitHub) 1cd0c62ae8a59243c600f2ecbb1c6b3e7b207c19dfdbc91defb8557cdfecef34 0 0
Change to Authentication Method AlertIQ Sigma Integrated Rule Set (GitHub) b48b8735d4b0c36f6b4415f9561a541fe792f70783e40570d3558a3bdb50c550 0 0
Changes To PIM Settings Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' Sigma Integrated Rule Set (GitHub) 94959dff01cdd28a250a85a42bf6d1f929fcad2d6921cf8ec73ad94b5f982fca 0 0
Changes to Device Registration Policy Michael Epping, '@mepples21' Sigma Integrated Rule Set (GitHub) c58894734cae6401122b9f113877703c228c29a8fa3e4e32c1441c985c927215 0 0
Chmod Suspicious Directory Christopher Peacock @SecurePeacock, SCYTHE @scythe_io Sigma Integrated Rule Set (GitHub) 859cf7876f0c68da27f3e292a5e428393e9a8004af0c330fae9787dac43b7bfe 0 0
Chopper Webshell Process Pattern Florian Roth (Nextron Systems), MSTI (query) Sigma Integrated Rule Set (GitHub) f3eb453b2f9a52250e3b43746736f8c9e0f1cfe7cf56756a7301cc6d67045bd6 0 0
Chthonic Banking Trojan Ariel Millahuel SOC Prime Threat Detection Marketplace 5915609df8f0f33be9c7c82797ba777d92dff34c96c4483d76ea06e3a514454e 0 0
Chthonic Banking Trojan Ariel Millahuel SOC Prime Threat Detection Marketplace b4b70fd58934de4a756c315437db626d32720d43be443f75f71a2eb971673f69 0 0
Chthonic Banking Trojan Ariel Millahuel SOC Prime Threat Detection Marketplace bb3d22a048ab0177787e51d23515065a6af77e3dad57b621b06f01af9fa36675 0 0
Cisco ASA FTD Exploit CVE-2020-3452 Florian Roth Sigma Integrated Rule Set (GitHub) 58180314ba9a1b6fc6135d8a5452d7ec429cce39bb8a0ee05e19b8cf2240315e 0 0
Cisco BGP Authentication Failures Tim Brown Sigma Integrated Rule Set (GitHub) c1c6460f01da4621d940943b027bb03ad82d2e169061a67ae8d8c857e5053d58 0 0
Cisco Clear Logs Austin Clark Sigma Integrated Rule Set (GitHub) f2d0601cc4bc2b37896ef81bb36379f95f6d6da0f54e5d298d76af6e9e34dfc6 0 0
Cisco Collect Data Austin Clark Sigma Integrated Rule Set (GitHub) 2c692110983c838f0baff38e18c9350ae3def6ff7afca5af55221519eed38387 0 0
Cisco Crypto Commands Austin Clark Sigma Integrated Rule Set (GitHub) c3f4d338f538ec307b874891bf2dbd5f3ab916918bdca04a2ed53da9cb5ba3d5 0 0
Cisco Denial of Service Austin Clark Sigma Integrated Rule Set (GitHub) c9b1080d16e9e0175fdcbb202f1842cefd864c57eaa6a64ff1c1b4d6a5e71ae4 0 0
Cisco Disabling Logging Austin Clark Sigma Integrated Rule Set (GitHub) caab8d24d82768943d8a9bc5bc8ec1de7d099ef18de8846a7a84c7a0c123ae9e 0 0
Cisco Discovery Austin Clark Sigma Integrated Rule Set (GitHub) 922dd1761e6de8935b8deddf2c702455c9687e7ce9135ddc502be597a434ebf1 0 0
Cisco File Deletion Austin Clark Sigma Integrated Rule Set (GitHub) a81d06d9e233156764ebf91e560a8a01fdf1b044beeaaa400b065b5be267cbb0 0 0
Cisco LDP Authentication Failures Tim Brown Sigma Integrated Rule Set (GitHub) e25b710f3b1915a497274ca420eccf7ce816686420806bebb413fd621f516a4b 0 0
Cisco Local Accounts Austin Clark Sigma Integrated Rule Set (GitHub) 066ace76e41c5e84ccb56804255ccf2d9c27332fc287e77151b9a6bd70f1d723 0 0
Cisco Modify Configuration Austin Clark Sigma Integrated Rule Set (GitHub) e1d658a7e96d34fae9c9489f15cc7e66d2d932e0902ae1d9b63e49f69008a557 0 0
Cisco Show Commands Input Austin Clark Sigma Integrated Rule Set (GitHub) 52e2f120bc6f6a2fdea0d88c7334e68be41c50e02ac50ad9447e3b97ccc8e8c8 0 0
Cisco Sniffing Austin Clark Sigma Integrated Rule Set (GitHub) 8acea30044d76f3304a28112da3f66be2f2b9d450a7cdd1784f9c45ad56191de 0 0
Cisco Stage Data Austin Clark Sigma Integrated Rule Set (GitHub) 3ba27fda76b2e27f70c6f07a668f4d28b5903a7813afffa184749aeb9b961725 0 0
Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195 Florian Roth Sigma Integrated Rule Set (GitHub) afd8157e130ac5b1e85a83666d958d63adfa7ab570ebfbdcabdc1b7034b9f9c1 0 0
Citrix Netscaler Attack CVE-2019-19781 Arnim Rupp, Florian Roth Sigma Integrated Rule Set (GitHub) 98e0f69c0d080f1ab9346e1ebed9222049669b100a11bbaa8b110d9d96ad8828 0 0
Clear Command History Patrick Bareiss Sigma Integrated Rule Set (GitHub) c5903ffafd80f3200d3223dd44f4e4200331a8bfef040c23fc1812186018c6b9 0 0
Clear Linux Logs Ömer Günal, oscd.community Sigma Integrated Rule Set (GitHub) 4a4b8d80ea9937a6728e92b1079891255ed26e302f37e290db84bbaffc71c386 0 0
Clear PowerShell History Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 860e5b755d1cea66957a1dad5567ffc45ea7e50f98c8c0958538a8507ec82f71 0 0
Clear PowerShell History Ilyas Ochkov, oscd.community Sigma Integrated Rule Set (GitHub) Sigma Integrated Rule Set (GitHub)-dfba4ce1-e0ea-495f-986e-97140f31af2d 0 0
Cleartext Protocol Usage Alexandr Yampolskyi, SOC Prime Sigma Integrated Rule Set (GitHub) 1f1ab8a0a3fe05dc5f6db77a733d09949a236725db888a8fc8999542edaa9d84 0 0
Cleartext Protocol Usage Alexandr Yampolskyi, SOC Prime Sigma Integrated Rule Set (GitHub) 4ffd878e89c72b4ceec82aae1b81d7e86116017e259d0f026184c047ac87f080 0 0
Cleartext Protocol Usage Alexandr Yampolskyi, SOC Prime, Tim Shelton Sigma Integrated Rule Set (GitHub) 550069c609adf898c0cd2425bccf7458002df9eda036de658988e3fc1c99025d 0 0
Cleartext Protocol Usage Alexandr Yampolskyi, SOC Prime Sigma Integrated Rule Set (GitHub) d2de6c91a552659c64031d52630045d58a65e9b7f816c23dffb75c531fe65479 0 0
Cleartext Protocol Usage Via Netflow Alexandr Yampolskyi, SOC Prime Sigma Integrated Rule Set (GitHub) 5a34aa084745df161fe9743db142a1c40cb5ee3886200a67d6ad228a51483a8a 0 0
Clipboard Collection of Image Data with Xclip Tool Pawel Mazur Sigma Integrated Rule Set (GitHub) bba5d6f743a4d29df17318bea6702db4ec9ccad741bcfd230545482d2f75c48b 0 0
Clipboard Collection with Xclip Tool Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC Sigma Integrated Rule Set (GitHub) 05e02a479959ef4e06411f4b132dbfbf2eff4ab9239d4732bc6b92c1762decc4 0 0
Clipboard Collection with Xclip Tool Pawel Mazur Sigma Integrated Rule Set (GitHub) 5750f0c9e7a5b3d955a1de73bac6ad176f1d221bbe3b3a3c29db1eba3f280619 0 0
Clipboard Data Collection Via OSAScript Sohan G (D4rkCiph3r) Sigma Integrated Rule Set (GitHub) 9456883e215175e623eb73fc5dbb97051dd3a45173a64f1b6fdd7f0fe53870f2 0 0
Cloudflared Tunnel Connections Cleanup Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 48787c99cfb6d0430c601a44d4594a6eafff633bca387f3be21825df6a8869d1 0 0
Cloudflared Tunnel Execution Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 143bb177d88746ae7cb80c574d4992f4ffef743521dc06124cbc5cfe61ff6a66 0 0
Cmd.exe CommandLine Path Traversal xknow @xknow_infosec Sigma Integrated Rule Set (GitHub) 66a17168752e700a1b57242bfc6b9a345959b5142a99316865e1d44df709c32f 0 0
Cobalt Strike DNS Beaconing Florian Roth Sigma Integrated Rule Set (GitHub) ae9cf008e7075ab1e5658ff0f1449d564314bf06bb13fc381dda84df5e63e523 0 0
CobaltStrike BOF Injection Pattern Christian Burkard Sigma Integrated Rule Set (GitHub) e1f2db3ffec989759e5467440cde906de0dd4aa563b137379e91daed32103267 0 0
CobaltStrike Load by Rundll32 Wojciech Lesicki Sigma Integrated Rule Set (GitHub) a92c2c006c3ed7f60668afcb77342db1049d166af7ab991eb0d6cd8c3e2b2a59 0 0
CobaltStrike Malformed UAs in Malleable Profiles Florian Roth Sigma Integrated Rule Set (GitHub) e4c423de550bfad9e2962081acef2175c6383ee5809f156deedc218690445bcc 0 0
CobaltStrike Malleable (OCSP) Profile Markus Neis Sigma Integrated Rule Set (GitHub) acdef10f5ebf1c2a007b873f8340f11064f333ffafafbe6d5458758dfafd1a60 0 0
CobaltStrike Malleable Amazon Browsing Traffic Profile Markus Neis Sigma Integrated Rule Set (GitHub) 4c8dcd1969f5864da6d00d316324cc9c07906eb46dcd52cb5ef77dec09e5f886 0 0
CobaltStrike Malleable OneDrive Browsing Traffic Profile Markus Neis Sigma Integrated Rule Set (GitHub) e3debddaebc6a6805b6ecd204901a61dc7771baba667b06ae7259af94cbd15da 0 0
CobaltStrike Named Pipe Florian Roth, Wojciech Lesicki Sigma Integrated Rule Set (GitHub) acc7e9be68d0e1ad85dc9aafc935bc08834e6cc9a7cc48742991e53d197a46af 0 0
CobaltStrike Named Pipe Pattern Regex Florian Roth Sigma Integrated Rule Set (GitHub) 337224175c49faeb48d475b30549b027ea2f3c467baf9b22a069f35aebe5bd66 0 0
CobaltStrike Named Pipe Patterns Florian Roth, Christian Burkard Sigma Integrated Rule Set (GitHub) 905fc9490af8169f526089d670a3608b44417c93f5ab5a80be4f4e507ea02668 0 0
CobaltStrike Service Installations Florian Roth, Wojciech Lesicki Sigma Integrated Rule Set (GitHub) 07ed77ae45c45cd6dbde58702a9401f505bb4cd22daf19d09993a5c55b05ec21 0 0
CobaltStrike Service Installations Florian Roth, Wojciech Lesicki Sigma Integrated Rule Set (GitHub) 1528f16fe86df1015680377eab269f8383ca863cc09a040605bbd624ab36512e 0 0
CobaltStrike Service Installations Florian Roth, Wojciech Lesicki Sigma Integrated Rule Set (GitHub) 52fb124d4388460bedaa284c35492d9da80a1d697d6610dcdcfa5dc688ad118b 0 0
CobaltStrike Service Installations Florian Roth, Wojciech Lesicki Sigma Integrated Rule Set (GitHub) bd6e98a1ffa061e8610929a967d533a5f85adf437c7f2694f4b79edcf04c254f 0 0
CobaltStrike Service Installations Florian Roth, Wojciech Lesicki Sigma Integrated Rule Set (GitHub) d47c2221db7aa13e5c3645ca6ec5b315a643a4b9f5a9e50af5bece9e79885196 0 0
Code Executed Via Office Add-in XLL File frack113 Sigma Integrated Rule Set (GitHub) 166571671ff0b50e7d6b641f7490790a2762897cb0cbbe9e2d489edb3d71010e 0 0
Code Execution via Pcwutl.dll Julia Fomina, oscd.community Sigma Integrated Rule Set (GitHub) d893a429c2ce543e3a265b3794e1845676e899c8dab1ac888aca5607d9821ae7 0 0
Code Injection by ld.so Preload Christian Burkard Sigma Integrated Rule Set (GitHub) ef655b20c81f4dddb081e2c7fe6c60ee0ea86d7e37cdf55fe02cd0c8586de4d1 0 0
Code Integrity Blocked Driver Load Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) e6e7ace9263c4389270ed38b7e0c29fbdc243a863684b3c39cbef17bd49812a1 0 0
Commands to Clear or Remove the Syslog Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC Sigma Integrated Rule Set (GitHub) 82fe97976c538cbc804bd324c0c8e95c4df77ed62a637f5e1d33dd2d9c9b416d 0 0
Commands to Clear or Remove the Syslog Max Altgelt Sigma Integrated Rule Set (GitHub) 9a49b4476704bd301f2c0b13c87316f7e92aef899ef21b8e3f6db3c943390df6 0 0
Common Port with Unusual Service SOC Prime Team SOC Prime Threat Detection Marketplace 448567e1372cc2d57c61ba1258607614de4959656f08b0c769cc4a2d4b6adf6b 0 0
Communication To Ngrok Tunneling Service Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 66c8b63b56d52c8e957113c3f77712e8f387682164afca0cd844ddf44255d5a1 0 0
Communication To Ngrok Tunneling Service - Linux Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 4923797d38f9e57931d4c2524c152b3df9355de308a97dccb63f2d0cfffc3461 0 0
Compress Data and Lock With Password for Exfiltration With WINZIP frack113 Sigma Integrated Rule Set (GitHub) b6ab11c7f95ec7eeb0c511d3c26533628fe403bbf4d5d8e13ba54958aa6899da 0 0
Computer Discovery And Export Via Get-ADComputer Cmdlet Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ba0dcf90e36e7408825fbc2ef8c0738174fd31ac01bdf199a594035504753788 0 0
Computer Password Change Via Ksetup.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 1b69c2b97209ab8f9dd58e3300058e91e7473df6ba78a0ad001451070d2f29b9 0 0
Confluence Exploitation CVE-2019-3398 Florian Roth Sigma Integrated Rule Set (GitHub) 51b242528b12df33e19aef0d9c491da0899ee0c15706bd24fa1d8bbfdd0c0e20 0 0
Connection Proxy Ömer Günal Sigma Integrated Rule Set (GitHub) 70f387e708b9ab503041091a0b074a7d2aa84dea74f61b398fa6fc3f154dacaf 0 0
Container Image was Uploaded via Unusual Client. Brandon Hart SOC Prime Threat Detection Marketplace 0b491699d6ca77a7ec742e9676c80395862b7093ff6ffbfb2aa1d4d22e32f84e 0 0
Conti Backup Database frack113 Sigma Integrated Rule Set (GitHub) a8204898cf8fc5736e342a77657426a9af40b6b573152d2d6e852a3112dead6d 0 0
Conti NTDS Exfiltration Command Max Altgelt, Tobias Michalski Sigma Integrated Rule Set (GitHub) 0b3dd39a21682b0ad57453e8c2da509ea751696a9ed99cae7fb6658a7c77adde 0 0
Conti Ransomware Execution frack113 Sigma Integrated Rule Set (GitHub) c41fdd8a72030a4b0b96e025a1f36e7970262ad1e17a4ad2a29f643cb2033927 0 0
Conti Volume Shadow Listing Max Altgelt, Tobias Michalski Sigma Integrated Rule Set (GitHub) 08ef6e8b498eef96cef9154fc59c951d935c3fc9b707146c4eca4567eaa5db9f 0 0
Control Panel Items Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) Sigma Integrated Rule Set (GitHub) 2f683c72a6ae438b4161918b9e82bb9c7e09f701f65f85be9231ced52084f219 0 0
Copperhedge Malware (Hidden Cobra) Ariel Millahuel SOC Prime Threat Detection Marketplace aa72a19331c2c067f40e6e48ff853baac0a3d4a25566bc66809995fc42cf7cd8 0 0
Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a292fe3208d4e527b02e65976d44d0f6cfe4c3966558ae97f2b6ab6403ffdb94 0 0
Copy Passwd Or Shadow From TMP Path Joseliyo Sanchez, @Joseliyo_Jstnk Sigma Integrated Rule Set (GitHub) 8ded73daf32e44d8446fc45b91e962b9508d911e85c06d0481f7c4321eba41fd 0 0
Copy from Admin Share Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st Sigma Integrated Rule Set (GitHub) 253df726683ee378cff180cb32526ec9f10b897edda084113b11cbeba118fbe3 0 0
Copying Sensitive Files with Credential Data Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 8712e0baf2cbfba40ac1ad1854da93829b0f78d6eba117de03912aa985d46a79 0 0
Correct Execution of Nltest.exe Arun Chauhan Sigma Integrated Rule Set (GitHub) f2418d4c95e6ea8c75c68ad4358af3fc47e78b7630289f9d13fe04dc688a039b 0 0
Covenant Launcher Indicators Florian Roth, Jonhnathan Ribeiro, oscd.community Sigma Integrated Rule Set (GitHub) 2957c0808592ab632134afd63650be8c47697a8350bb5cb19a8272b9da595777 0 0
CrackMapExec Command Line Flags Florian Roth Sigma Integrated Rule Set (GitHub) 3b089e7f895f7da0d05f361a5815b3fb843bf243e11174993b9d167b40cdd5ba 0 0
CrackMapExec File Creation Patterns Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 025208b5b73f1640ce17844eb62f40d4ee3a9bf72b84c9cf66b9777b72e2ed33 0 0
CrackMapExec PowerShell Obfuscation Thomas Patzke Sigma Integrated Rule Set (GitHub) c5f36e07dfb01984d08d19db1fe7f194936f079b371ab900d58eff493b972744 0 0
CrackMapExecWin Markus Neis Sigma Integrated Rule Set (GitHub) 4937cb1804ae450d1760b136159503b4a353a27a37e6b66253c12834ae1fa611 0 0
CreateDump Process Dump Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 687da476fe7fa5f062fed8f4a4daf9774c0ac4734d817bf428d2c8de23a0b15f 0 0
CreateMiniDump Hacktool Florian Roth Sigma Integrated Rule Set (GitHub) 9ba3182e2ff92ecee64624cd2f1f24935f5ebeb42a5e6530cad6ea428e2941ea 0 0
CreateMiniDump Hacktool Florian Roth Sigma Integrated Rule Set (GitHub) b0407739067c1a391ad55a8b30a1c8109e9239a36d94cf389a4f842a53e36f73 0 0
CreateMiniDump Hacktool Florian Roth Sigma Integrated Rule Set (GitHub) b66ace0358aa3fe35f98b7d2f726aab76956778883e2fd65cbc867bae21e360a 0 0
CreateMiniDump Hacktool Florian Roth Sigma Integrated Rule Set (GitHub) db9bea11b648e60a727a16af04702fe0746657460d47aa50814a4f7999f58cb6 0 0
CreateRemoteThread API and LoadLibrary Roberto Rodriguez @Cyb3rWard0g Sigma Integrated Rule Set (GitHub) 7b3a31059be73d0a2a66f61915b2e5a4f5a37cea4d4de5e3cc8c24f5e2a310f1 0 0
Creation Of A Local User Account Alejandro Ortuno, oscd.community Sigma Integrated Rule Set (GitHub) de6224d573389a0f865f0a33bd9bc3784cd12bf697150f8f8e0a9708a4e00199 0 0
Creation Of An User Account Marie Euler Sigma Integrated Rule Set (GitHub) f796279cc60013c4736e3ef7e5a140375fba8a3d78694c9d524620326ae8efcf 0 0
Creation of a Local Hidden User Account by Registry Christian Burkard (Nextron Systems) Sigma Integrated Rule Set (GitHub) 958ac16256f17b20c00b2a83f4bbad49236266d2b84e59eb2d3c29989efc96b0 0 0
Cred Dump Tools Dropped Files Teymur Kheirkhabarov, oscd.community Sigma Integrated Rule Set (GitHub) 45248d2871f8e9f12191effed010f35a307cc4e1eb1350ad7dd486fc07bc0bdb 0 0
Cred Dump-Tools Named Pipes Teymur Kheirkhabarov, oscd.community Sigma Integrated Rule Set (GitHub) 9eed77c2ef05fafded05e61ec71d8bdd695696543061ef8b84fca37d1606484e 0 0
Credential Dumping Tools Accessing LSASS Memory Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community Sigma Integrated Rule Set (GitHub) a293708df42b2beba9f1a26e123fed278dfc67f5946ce8c995b2800c58d69e2f 0 0
Credential Dumping Tools Service Execution Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 1243009f29fe311d9199398e8babee9294e8f9e57205fe6ebec6696ab0eec9e0 0 0
Credential Dumping Tools Service Execution Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 433b594a58a12c33431c033f7e53c41d5f635df8cee206163112bfffde169958 0 0
Credential Dumping Tools Service Execution Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 9a7af0218101ae1b67047098f1cf187e06c88982ba45ad3ef1c685c27788b02d 0 0
Credential Dumping Tools Service Execution Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) ad25ab512a3789c7da7d55a7b60c4d528db1206a0a4d26f3f44d945cc456cc2d 0 0
Credential Dumping Tools Service Execution Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) be637f31d674fd7f3e36ce2982a40811732c7bbd70435fdb0378ab0bcbd73618 0 0
Credential Dumping Tools Service Execution Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) cda32da0a87ef0f9603fc5592471efd0b39082003d4bc39f06871a5dd4336130 0 0
Credential Dumping Tools Service Execution - System Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 61e2aaf48c321983d311349f6bced27944c28bcd53f96ee143d8a0a1c321a5f2 0 0
Credential Dumping by LaZagne Bhabesh Raj, Jonhnathan Ribeiro Sigma Integrated Rule Set (GitHub) 8cca9e462f882fe58e9f320bb7380d7edbaaaab831521d9f739cca42cf64db37 0 0
Credential Dumping by Pypykatz Bhabesh Raj Sigma Integrated Rule Set (GitHub) e7a973176dcaaa7050f1a216ca0d3075bfc12fecf2db13696af32148bd07d6bf 0 0
Credential Manager Access Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 24966e29f8ae02e09ad40f3d903269a0ead88427f40a35139eb4d628aa926547 0 0
Credentials In Files Igor Fits, oscd.community Sigma Integrated Rule Set (GitHub) 26d8c61d691959676fb6d8b0217d408f4dde823800f79771a458011d3577ffbb 0 0
Credentials In Files Igor Fits, Mikhail Larin, oscd.community Sigma Integrated Rule Set (GitHub) bb9fce766014ab2fb22106410384571f0217fa35e9914bdc3dd86452d8d4ed64 0 0
Credentials from Password Stores - Keychain Tim Ismilyaev, oscd.community, Florian Roth Sigma Integrated Rule Set (GitHub) 0a2ce7410c4271e6c41926b4fe0f5903a05d4a02cd8dcd4a273e86065b3f46b6 0 0
Crontab Enumeration Joseliyo Sanchez, @Joseliyo_Jstnk Sigma Integrated Rule Set (GitHub) 23f3512bc30a856ca1f3906b9e52716a70df17c2083065536ac9ea6176aaf3ba 0 0
Cross Site Scripting Strings Saw Win Naung, Nasreddine Bencherchali Sigma Integrated Rule Set (GitHub) abfc554e6723d78308adb5dd0917e5604dac15611a98637633eae81fc3aff08f 0 0
Cryptbot Stealer Ariel Millahuel SOC Prime Threat Detection Marketplace 06c9cbff1ed607186f04da92f2cf1648e2db7108306751e56b1e9f5123d11b60 0 0
Cryptbot Stealer Ariel Millahuel SOC Prime Threat Detection Marketplace b2707a69365d76d4836147eeaf9407e838f5322fcbd5f89cf86c86f1ba4239d5 0 0
Cryptbot Stealer Ariel Millahuel SOC Prime Threat Detection Marketplace cdf252693ebe9b52f81229cb74ba8436f6cfdf9cc5c11f178cf9edb027c266aa 0 0
Crypto Miner User Agent Florian Roth Sigma Integrated Rule Set (GitHub) ff0cfc194b0f8edd392e317c8a3d0e012351873096248a33ca36c2b71f5ab3a1 0 0
Curl Start Combination Sreeman Sigma Integrated Rule Set (GitHub) 78dc71a5599dc85b3d37a6ab0f014aa5110b2ce1b2346c8f2730e0c481977781 0 0
Curl Usage on Linux Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) e576f496b0ac03c619b88124a419d2c717d3f5e3f5506a17e145443091bda155 0 0
Custom Class Execution via Xwizard Ensar Şamil, @sblmsrsn, @oscd_initiative Sigma Integrated Rule Set (GitHub) c0bd5b42809f6cdda07709c25bc0f42cbb0a674ce80ec8c63788ef1efd31cdc5 0 0
Cybergate RAT Ariel Millahuel SOC Prime Threat Detection Marketplace e806ec700e831384b0d77c8508e1614d850eb5c7ccb89a9b745d0871c0136e5d 0 0
DCERPC SMB Spoolss Named Pipe OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) 9aca3bd938d644fb20cf3d83a10353ff1440153ab17579e69ed2ee17848c5d93 0 0
DCRat Malware Ariel Millahuel SOC Prime Threat Detection Marketplace 35dd39a15009dacc7bdd973a9fb1484b964accb38bbcb7a63bc0b1bf73131df0 0 0
DCRat Malware Ariel Millahuel SOC Prime Threat Detection Marketplace d6883f28a13f18946f9da1e0d84588bc6e01de49d97cdecbb8b3d5bc2b945880 0 0
DCRat Malware Ariel Millahuel SOC Prime Threat Detection Marketplace d84b3a1cba66ed28c6c66d9a5dd807e984d42ba3b1e61ae45717b77695109095 0 0
DD File Overwrite Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC Sigma Integrated Rule Set (GitHub) ae140eaae48e1659eb9013e9c7758cc3ebb59100fc5bce9ede4e8a0ca0fb76b7 0 0
DEWMODE Webshell Access Florian Roth Sigma Integrated Rule Set (GitHub) 9e465f124d03f3f4a5d575cc4d87bde86fda1fa3092da13a47c07f473c865bbc 0 0
DHCP Callout DLL Installation Dimitrios Slamaris Sigma Integrated Rule Set (GitHub) 08a22f080dbceb91fd6109159e695139744d9c12f6d94b12c35474b710aeb4ae 0 0
DHCP Server Error Failed Loading the CallOut DLL Dimitrios Slamaris, @atc_project (fix) Sigma Integrated Rule Set (GitHub) 11670a8f337ded0b6b72a5c41df4831c1b1da694f85e044e4afe1839d5dbc82d 0 0
DHCP Server Loaded the CallOut DLL Dimitrios Slamaris Sigma Integrated Rule Set (GitHub) 4928e3042535af018624a20ce17e807b66cf935200331da04e2db35a1b6cb695 0 0
DIT Snapshot Viewer Use Furkan Caliskan (@caliskanfurkan_) Sigma Integrated Rule Set (GitHub) 203a47b7ef9f6721efefc8005ca1492daf475a9b03afc70af3fde9780df06253 0 0
DInject PowerShell Cradle CommandLine Flags Florian Roth Sigma Integrated Rule Set (GitHub) 10bbdc113d1dc5813708dd95928a8d1a38b22ab4b85bc027daaf8ac7aae65c9b 0 0
DLL Execution Via Register-cimprovider.exe Ivan Dyachkov, Yulia Fomina, oscd.community Sigma Integrated Rule Set (GitHub) dd9b6910a5e264c2b56a7a735f0cfc2cab9c341775db4a260bbadf7815d05772 0 0
DLL Execution via Rasautou.exe Julia Fomina, oscd.community Sigma Integrated Rule Set (GitHub) 18ed0db67fcc790c2b7e9ff5c111ae3691af0b9f2d52618d41d7f956ce8aa598 0 0
DLL Injection with Tracker.exe Avneet Singh @v3t0_, oscd.community Sigma Integrated Rule Set (GitHub) b829a2f1ed89d5380f218ac5f6e134b4301319062cf792789557f30f6f903d24 0 0
DLL Load By System Process From Suspicious Locations Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a341c10327c4d8c5407ea5b704ad11932a391174e37332792a2b456adf4ee9b8 0 0
DLL Load via LSASS Florian Roth Sigma Integrated Rule Set (GitHub) 4dbf0d3da4d07dd172361786684269e5741eb3602ce1bf2c2c287041e8abe017 0 0
DLL Loaded From Suspicious Location Via Cmspt.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 7fde3c5ae3c028a596ad8a76eb1a4b7ab0f64f939f847ef0f25f723659fbae8a 0 0
DLL Loaded via CertOC.EXE Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 42f3abed5774e74cc80412cad617ceb1f8881fc484a38c351eed5b589c80dee3 0 0
DLL Sideloading Of ShellChromeAPI.DLL Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) d07d6140d7d6a4e6a50db53310ea4d80cb48d33c95e0ced5e0570d488c2afc0b 0 0
DLL Sideloading by VMware Xfer Utility Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 101d7b771d2663a74e9a33cf0dc8d8475af6fe5fd97cda9ecccde0e9c99325b6 0 0
DNS Cache Enumeration(via CIM/WMI) Den Iuzvyk SOC Prime Threat Detection Marketplace 11f3c97d5bb96ad59c7eb445ca4feeab94c4ea4fbc54c6a6ff11061bab8a11b3 0 0
DNS Events Related To Mining Pools Saw Winn Naung, Azure-Sentinel, @neu5ron Sigma Integrated Rule Set (GitHub) ed013f86bfbbcd25b8e462391d437165af76f6ca7e0b33cde4fceb2ee58d3e57 0 0
DNS Exfiltration and Tunneling Tools Execution Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) b5eeb195cf8da826ce09652556c789913808b5869a15ad6d6771d084721b65e0 0 0
DNS HybridConnectionManager Service Bus Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Sigma Integrated Rule Set (GitHub) 3aadcde102c8a083c36e571f1926927d5bdeddec39fc0f3ca9c514988407c7fe 0 0
DNS Query for Anonfiles.com Domain - DNS Client Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 12c2f09405eb6cfb663a8cb88fab690da7fc0b72826d360fa3c6714abd86b972 0 0
DNS Query for Ufile.io Upload Domain - DNS Client Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) c79f5bc9cf7e15e6774913e56090aed7fc5e39f8a3736629ce5efd2eb94d220a 0 0
DNS Query to External Service Interaction Domains Florian Roth (Nextron Systems), Matt Kelly (list of domains) Sigma Integrated Rule Set (GitHub) 9cd7d0464b2ec471865497eaad8a6c4d1a73db7c60ab90f17e39cd455bb7c847 0 0
DNS RCE CVE-2020-1350 Florian Roth Sigma Integrated Rule Set (GitHub) c2b9377be93da37de7a04778f2a879e0e03b32b8aa2f1d0dd8b7c1ba72d7727b 0 0
DNS Server Error Failed Loading the ServerLevelPluginDLL Florian Roth Sigma Integrated Rule Set (GitHub) a560dac7223fded812b9599d8c99d99739563099829698349739e8edeb365cc8 0 0
DNS ServerLevelPluginDll Install Florian Roth Sigma Integrated Rule Set (GitHub) 5935b25ff10421da2a478f9f484858a9599e6551a17272c7a4017c6e1a55df07 0 0
DNS ServerLevelPluginDll Install Florian Roth Sigma Integrated Rule Set (GitHub) 8435be4251ebdf2b4f18ae9d65faca381dc2fad4574c29cff3a962e5c9237487 0 0
DNS ServerLevelPluginDll Install Florian Roth Sigma Integrated Rule Set (GitHub) 8a0b41208edc45c1f006ab6da0f12b0b819a810a16ba4179e2ef632571eafa18 0 0
DNS ServerLevelPluginDll Install Florian Roth Sigma Integrated Rule Set (GitHub) cfcbc45713ff3176a1284f986927a251f17c892931e87871325476256b26bb0c 0 0
DNS TOR Proxies Saw Winn Naung , Azure-Sentinel Sigma Integrated Rule Set (GitHub) 1b16378c68113f05c5cf4b51586d582401449553cf4775243b8ce459ef59ef99 0 0
DNS TXT Answer with Possible Execution Strings Markus Neis Sigma Integrated Rule Set (GitHub) 8960985ab852fb33eb502577cd94683447f94e1a5299bfb607905f6a591cc78e 0 0
DNS Tunnel Technique from MuddyWater @caliskanfurkan_ Sigma Integrated Rule Set (GitHub) c2860e5a2a470c1dbb00003a43f3a9f04e5180cb5c7ec9e7a5bdcdfdd86a15a9 0 0
DNS-over-HTTPS Enabled by Registry Austin Songer Sigma Integrated Rule Set (GitHub) 0426d73fef7393ca82c3fbe1bedafc6d698e787d2cd679e17ae93a3b446a487f 0 0
DNSCat2 Powershell Implementation Detection Via Process Creation Cian Heasley Sigma Integrated Rule Set (GitHub) b31e87788fbc1690d2371c0a80ebe27cf8c7a433c9a7f28b1a077ba534308772 0 0
DPAPI Domain Backup Key Extraction Roberto Rodriguez @Cyb3rWard0g Sigma Integrated Rule Set (GitHub) d9a0bb3db2e444420bfe144e0ffc3f7e4dd9315a4792d088f6d79b706ac5fac0 0 0
DPAPI Domain Master Key Backup Attempt Roberto Rodriguez @Cyb3rWard0g Sigma Integrated Rule Set (GitHub) 084c47f6ea9d2126ec7b6b95e20cdf54557800f1b8394ae472f95b6162be6db1 0 0
Dacls RAT (Lazarus's Linux Malware) Ariel Millahuel SOC Prime Threat Detection Marketplace 79cabd2716a91ac3ac201a106a3c135e584d110d8527ac138457a5b89fb2b2a6 0 0
DarkRAT Botnet Ariel Millahuel SOC Prime Threat Detection Marketplace 097182ab9d206700057ec3ab10e6684d34c9b3ff109901a14fb1dbd8da889d95 0 0
DarkRAT Botnet Ariel Millahuel SOC Prime Threat Detection Marketplace 0d8a277066bf7279215ee87bce9077e63ee0037f495593431ddbff9fa822c179 0 0
Data Compressed Timur Zinniatullin, oscd.community Sigma Integrated Rule Set (GitHub) fb2193574c75e35df0989335aac30e2e13f3b8163caf7eef46058ae407b19e98 0 0
Data Compressed - rar.exe Timur Zinniatullin, E.M. Anhaus, oscd.community Sigma Integrated Rule Set (GitHub) e5fedf5f2a45c0555943282d3dd05186495acc374df19f7735f92d6d648dd1bb 0 0
Data Exfiltration to Unsanctioned Apps Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) bae0cfa813856773ccb7c9ac2654b2f064928c841cb1442d6dda554b4e346c98 0 0
Data Exfiltration with Wget Pawel Mazur Sigma Integrated Rule Set (GitHub) 334aab46cbdf770ef0720448d240e1b67c2a759449b703fba9d425f1450d83f9 0 0
Decode Base64 Encoded Text Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 0f307ac40cafbbdb1e262b899732195a25952ad5bb013ca8e6d280eefd45a141 0 0
Decode Base64 Encoded Text Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) 6101f5b902371808a5b407d66c189f259bec69ab6b4cf5b58a655af663843c71 0 0
Decode strings from lnk via findstr.exe Joe Security Joe Security Rule Set (GitHub) 9d57b9ed7a852960b15a4d2a7fb4faa9174893a98953c9f09989faab11ed110d 0 0
Default Cobalt Strike Certificate Bhabesh Raj Sigma Integrated Rule Set (GitHub) 19a7f2dd57b12f6048694290890081c7033fcf871e2c6ac4ddac91980374c15b 0 0
Default Credentials Usage Alexandr Yampolskyi, SOC Prime Sigma Integrated Rule Set (GitHub) 65501b5c31cfa5ab80e3a4512b833f9e4bb77ef303f17fc8839abf9c1b435969 0 0
Default Credentials Usage. Alexandr Yampolskyi SOC Prime Threat Detection Marketplace 3ed924bf0f9ebfc7642bd2eb1a2b925d801ff58fd267c5066fe579c55051e5cc 0 0
Default PowerSploit and Empire Schtasks Persistence Markus Neis, @Karneades Sigma Integrated Rule Set (GitHub) 40b130caca0f58482d7bae973cb51c3d6c7a02a91a7f448a1c19eb96333f5a10 0 0
Defrag Deactivation Florian Roth, Bartlomiej Czyz (@bczyz1) Sigma Integrated Rule Set (GitHub) 1ab376818e4cb7b7005cf46c5c118f9d09e2779f289cd7f37afc5fca8fc6e4f5 0 0
Defrag Deactivation Florian Roth, Bartlomiej Czyz (@bczyz1) Sigma Integrated Rule Set (GitHub) 462e0455aac7979a208190934de4564c8d6f5759fa73ea355f31b871967ed1eb 0 0
Defrag Deactivation Florian Roth, Bartlomiej Czyz (@bczyz1) Sigma Integrated Rule Set (GitHub) 4a305b6df01e5870b2018b579218b7e7b94bcc24e0959629d5cd3812d771d39b 0 0
Defrag Deactivation Florian Roth, Bartlomiej Czyz (@bczyz1) Sigma Integrated Rule Set (GitHub) f7c48f991deaa5a1f44d21dc156d1989c5c383f971da93ecc1eaf11928860293 0 0
Delegated Permissions Granted For All Users Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' Sigma Integrated Rule Set (GitHub) 7e53f4cfbdfd2c5fa0247d5fe1ab4a1b36136af1830a5d80710976b3908c48dd 0 0
Delete Log from Application frack113 Sigma Integrated Rule Set (GitHub) 4d5c0f83a4373919c5837ae554218d0f9f5a99734abf344ba8aa116d3f489bc2 0 0
Delete Volume Shadow Copies Via WMI With PowerShell frack113 Sigma Integrated Rule Set (GitHub) 57a9202655d8133d3a5eb0a9d51c9f5dedb6b15cfc700005f6f0d686df4f2ba2 0 0
Delete Volume Shadow Copies via WMI with PowerShell frack113 Sigma Integrated Rule Set (GitHub) 7435e1880cdd78f155ad539eaf8348f3ea0d6fa1183fac382443553cac2159be 0 0
Denied Access To Remote Desktop Pushkarev Dmitry Sigma Integrated Rule Set (GitHub) 755295cd9d58dfbf7808166ecd446d284fa160fe7f2e2b5673aeef6cc5cb0a44 0 0
Deployment AppX Package Was Blocked By AppLocker frack113 Sigma Integrated Rule Set (GitHub) 7da40e839cf5f0d73087f8c6c4717de3ec7a13449ce8e188460f89e33b12e2ae 0 0
Deployment Of The AppX Package Was Blocked By The Policy frack113 Sigma Integrated Rule Set (GitHub) dfe6fcb13ba0be0c88ad6cf05f81ace91ae31f8bc6eccf703deaa99c200d55dd 0 0
Detect Sql Injection By Keywords Saw Win Naung Sigma Integrated Rule Set (GitHub) 7940d1dd84f2a311d67ac511006deeead549c05a4cadaca9908e1071a153106c 0 0
Detected Windows Software Discovery Nikita Nazarov, oscd.community Sigma Integrated Rule Set (GitHub) 296c4235eb2d9969dd70271f37fd8708d44ea158f9a24508790c33c5b6003dae 0 0
Detected Windows Software Discovery Nikita Nazarov, oscd.community Sigma Integrated Rule Set (GitHub) 45e686dc153cf8d6e5cf577bc67b50dc6668c51412eddb7aede600f65fd5e9f0 0 0
Detected Windows Software Discovery Nikita Nazarov, oscd.community Sigma Integrated Rule Set (GitHub) ddc07067e955f9f404023ebf4e274002f57acb50f1fe16fe88b6704df84b3864 0 0
Detecting Fake Instances Of Hxtsr.exe Sreeman Sigma Integrated Rule Set (GitHub) 8dd172636988b9cdc1bf44aaceb27f6009d97516c54decea0812022b61cd8d7a 0 0
Detecting Sysmon on a Victim Host (via powershell) Ariel Millahuel SOC Prime Threat Detection Marketplace 9d639e1b707b6f24ae8b637df63d5ac02aac0933b062d3477fa84d3194dc4e7b 0 0
Detection of Possible Rotten Potato Teymur Kheirkhabarov Sigma Integrated Rule Set (GitHub) 45c3c61e20707c18533d763c9e1c0a2f3abd229bd485f75c933da3e4ba156186 0 0
Detection of PowerShell Execution via DLL Markus Neis Sigma Integrated Rule Set (GitHub) 5980c0048e6d0468659094b73e0c348afcf2c52a7842e03089c1279a023c70c9 0 0
Detection of PowerShell Execution via Sqlps.exe Agro (@agro_sev) oscd.community Sigma Integrated Rule Set (GitHub) 541caef712c71465ca223d69670a2ef4826f41323f21f161bc699c23ba201602 0 0
Detection of SafetyKatz Markus Neis Sigma Integrated Rule Set (GitHub) 5b2f81ece2c70e3e5e4dd770e0b9c755c90c099bf527d2b257d43e1193585d13 0 0
DevInit Lolbin Download Florian Roth Sigma Integrated Rule Set (GitHub) 6c91ae4afec46136577c1773ed9b9e0de2efd87a7f856d642c840bcd7ecc1a2f 0 0
Device Installation Blocked frack113 Sigma Integrated Rule Set (GitHub) c4ef183c583634c30e2ec4b60aecf6212b479a205961b7a079cf77cf3a10498b 0 0
Device Registration or Join Without MFA Michael Epping, '@mepples21' Sigma Integrated Rule Set (GitHub) a158153f262e73c2256d05133ad9d1479ec9fbd516352021e325ee5e7373be61 0 0
Devtoolslauncher.exe Executes Specified Binary Beyu Denis, oscd.community (rule), @_felamos (idea) Sigma Integrated Rule Set (GitHub) 336df26c319863147659e184f6387914d5b34b55eeb4dabe819907f747016967 0 0
DiagTrackEoP Default Login Username Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ef6b78708541778890f149b517c7191263263f7e3d08908ab5d2e6d2b370d91b 0 0
DiagTrackEoP Default Named Pipe Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) a64d5075ca8a68f98e37b952659116501a5fca9bdfa256bec6ee04447d1726b8 0 0
Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE Greg (rule) Sigma Integrated Rule Set (GitHub) 59b298e2e3b915378e28421e82fd8ba5669ee9eb26f07f878bde7303b4baf016 0 0
Direct Syscall of NtOpenProcess Christian Burkard (Nextron Systems), Tim Shelton Sigma Integrated Rule Set (GitHub) e01fcd88ad6ac5ad9762f652a28d6c714dc5ccf89b89c118bdd3bb33e5cf8abd 0 0
Disable Exploit Guard Network Protection on Windows Defender Austin Songer @austinsonger Sigma Integrated Rule Set (GitHub) 8c426cb2a8a98a743f8e95cb5717e867cc5d4d22fcc97255e10fac2d59176fac 0 0
Disable Macro Runtime Scan Scope Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) e448df332034272fce5d2071fe9f070084a293696a4d9f879591bcd91b12d862 0 0
Disable Or Stop Services Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 0aefa5af3ce18645188a34cbad40ebfc008ebab07e5d5404a636792bb7023634 0 0
Disable Privacy Settings Experience in Registry frack113 Sigma Integrated Rule Set (GitHub) e047bdf5f28a6d7c67d53f5cae5362d16ec6a73c354de983be8efbd7d19039ff 0 0
Disable Security Events Logging Adding Reg Key MiniNt Ilyas Ochkov, oscd.community Sigma Integrated Rule Set (GitHub) 6eaa9c84915e6b68d49ea0ea6b069124ad33f6d9666e8baf43270a57ee9e1b2a 0 0
Disable Security Tools Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) d934cd2adbdfb7c12ed5f937e36ed253d3f53495f0194507c0ea80b55f983957 0 0
Disable Sysmon Event Logging Via Registry B.Talebi Sigma Integrated Rule Set (GitHub) 4bcaa5dacb5e1eb968ca726b5580829575896d88af4c640f430427376c3fffe8 0 0
Disable System Firewall Pawel Mazur Sigma Integrated Rule Set (GitHub) bfb6779f8bcb262174ab1cdfd6dc6c24f7ab01aa0510928dc59d51257c11e472 0 0
Disable Windows IIS HTTP Logging frack113 Sigma Integrated Rule Set (GitHub) 8e9b40932ae787a51edc9fadbb2fd842437eea7b83804b0090d7f069e2d0a5f2 0 0
Disable of ETW Trace - Powershell Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) fb21aa9533b87e78511396a558c521c85a35533d4f9f44f9380e79dcee68ae56 0 0
Disable or Delete Windows Eventlog Florian Roth Sigma Integrated Rule Set (GitHub) 780ed5be93f71a397b1b6c9d95912c0781c2ed9114eef8fc5aec854bf80b1f2c 0 0
Disabled IE Security Features Florian Roth Sigma Integrated Rule Set (GitHub) dd832d1e805b850c68be7f120da6482e6126a8ee0860e3355d54604a2040eee7 0 0
Disabled MFA to Bypass Authentication Mechanisms @ionsor Sigma Integrated Rule Set (GitHub) 53b242e959d09f957c67fcb81b740965ebe398e9ef22bb0d8ec23f5dd1add1d4 0 0
Disabled RestrictedAdminMode For RDS frack113 Sigma Integrated Rule Set (GitHub) e448d82f06478af407e6d655ffbea46e7a876deeda7f5ab28f9de6183e6708a4 0 0
Disabled RestrictedAdminMode For RDS - ProcCreation frack113 Sigma Integrated Rule Set (GitHub) 5075a0208eb230de355c4c0125a6de311c4310421450c41c6c09a979f9ce0307 0 0
Disabled Users Failing To Authenticate From Source Using Kerberos Mauricio Velazco, frack113 Sigma Integrated Rule Set (GitHub) a87dc529f00cccdafd3037358d753f5b37bdbc5d5860e077d8794985d3d93f5d 0 0
Disabled Volume Snapshots Florian Roth Sigma Integrated Rule Set (GitHub) 570e42eea810ffc81d8b3f1b5d284c891c1ca4a897bc6a8d5307ba5ac4feebbe 0 0
Disabling Security Tools Ömer Günal, Alejandro Ortuno, oscd.community Sigma Integrated Rule Set (GitHub) 17b8565aac7819789a47a069aa7bbdb1c69f755edcfcb766c10e1d973768a357 0 0
Disabling Security Tools Ömer Günal, Alejandro Ortuno, oscd.community Sigma Integrated Rule Set (GitHub) 495b384015032ab9c529e649f340c35394c72a7ace8daf0aecc9b3fe7bb5f54e 0 0
Disabling Security Tools Ömer Günal, Alejandro Ortuno, oscd.community Sigma Integrated Rule Set (GitHub) 7c1caf17a217864cc13be5d7320e631c61b949686fc630c72b5d143d1b4cdbbb 0 0
Disabling Security Tools Ömer Günal, Alejandro Ortuno, oscd.community Sigma Integrated Rule Set (GitHub) df800176ac79cd510a92bccecd1ec64124d8917bd009406abd5457f353896225 0 0
Disabling Security Tools - Builtin Ömer Günal, Alejandro Ortuno, oscd.community Sigma Integrated Rule Set (GitHub) 7657d165811c7f6d4f9ff55e9ce81d8405e42f6157faed664f28bbc8fe97e560 0 0
Disabling Windows Event Auditing @neu5ron Sigma Integrated Rule Set (GitHub) d73609956e7379a0917a1fd771e4351b523579011a752df34e3ed749bf878180 0 0
Discord client stealer (AnarchyGrabber) Ariel Millahuel SOC Prime Threat Detection Marketplace d513011ab49524e73ae98c85b1f902158f55f0412551679d5acbb03eee68c4a3 0 0
Discovery Using AzureHound Janantha Marasinghe Sigma Integrated Rule Set (GitHub) 285046a386633dc2065de3a86c090ace867fc6f4d6ea14d4dcb8e3129bbe7292 0 0
DiskShadow and Vshadow launch detection Eugene Nechiporenko, SOC Prime SOC Prime Threat Detection Marketplace 85495f94a180f99ee2283759ac8a387cd3df5ff6802bcebcd6fd16bd75788af7 0 0
Django Framework Exceptions Thomas Patzke Sigma Integrated Rule Set (GitHub) fad46f86c5fe8acee91d73cf5901cf64df547e2777230845acfe89b79cbf172a 0 0
Dllhost Internet Connection bartblaze Sigma Integrated Rule Set (GitHub) 0469df5507574c65082f62410c1cc9e493ba1daeff82396b38a60516c6f4187c 0 0
Dnscat Execution Daniil Yugoslavskiy, oscd.community Sigma Integrated Rule Set (GitHub) c625578e8b4d44c52ee346e1df82116ed7e4896e4caad93d0fdb7fba487dbfdf 0 0
Domain Trust Discovery Den Iuzvyk SOC Prime Threat Detection Marketplace 4fba485fa9f02eb8d0e28a7b84276fb6a276943a2948a62fe3d614248af840fd 0 0
Domain Trust Discovery Jakob Weinzettl, oscd.community Sigma Integrated Rule Set (GitHub) 50137e4985d62ff32fe9acc8ecd34bbc1e546bce28ae9d0c168c5bc0e62c2098 0 0
Domain User Enumeration Network Recon 01 Nate Guagenti (@neu5ron), Open Threat Research (OTR) Sigma Integrated Rule Set (GitHub) 11a4140a5787cdd2ea81d81e4e06755144d3c4abe02a886ec68eeb79c5273223 0 0
Domestic Kitten FurBall Malware Pattern Florian Roth Sigma Integrated Rule Set (GitHub) d75f4b248c10259b1011107000396926b1a9e5cd4b0031500be48aee109855b5 0 0
Donotgroup APT Ariel Millahuel SOC Prime Threat Detection Marketplace 431dbf8b11cf45bebac6646a5fe3c450c306b29edaf25977675ee072495216f8 0 0
Donotgroup APT Ariel Millahuel SOC Prime Threat Detection Marketplace b3a4cba903a56c4b1c614cbde0de39dbec54a5aa5c8c8990df7f654b4a4c05ab 0 0
Donotgroup APT Ariel Millahuel SOC Prime Threat Detection Marketplace d65688b1788bfa0f9d3f71219812a68ef61b2de1f9da32a3be8f9ce57314eba0 0 0
Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN Beyu Denis, oscd.community Sigma Integrated Rule Set (GitHub) 3fba0f206c1c867f04a34552b850e8eeb0b219621923d394bddad4789f293152 0 0
Download Arbitrary Files Via MSOHTMED.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 60d28276317f25fdc7fa0acce62da99237f387d5ab5624b5f0fb9a3311f144ed 0 0
Download Arbitrary Files Via PresentationHost.exe Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ffb4d3b820e87f926948fb36dd6a790bd67e547ee318bb322626148b736139f7 0 0
Download EXE from Suspicious TLD Florian Roth Sigma Integrated Rule Set (GitHub) 0182cb90eb98bcbd6b9724bdf7aa6f62ee6e327b059e24257dfd8339db0d3579 0 0
Download File To Potentially Suspicious Directory Via Wget Joseliyo Sanchez, @Joseliyo_Jstnk Sigma Integrated Rule Set (GitHub) c14acc44b7a21724d221a1ace54effc332427d0340619e20a9dc8a66cec01ec7 0 0
Download from Suspicious Dyndns Hosts Florian Roth Sigma Integrated Rule Set (GitHub) d24da8eb78bf79c4be60dc23a68bd4ced6da6a3ad0eca8e8c2f4f43d08527e24 0 0
Download from Suspicious TLD Florian Roth Sigma Integrated Rule Set (GitHub) 5ccaad9297f4a0eab603caddab274e285f600daadd324b7ff0b1664d5fa19675 0 0
DragonFly variant (Goodor) Ariel Millahuel SOC Prime Threat Detection Marketplace 76c36e8978ca88131a604877350f6d74659dd6354870487d271706837731f68c 0 0
DragonFly variant (Goodor) Ariel Millahuel SOC Prime Threat Detection Marketplace b36ce9f509e99bf322f61b552fe1197b17812c6ec7e34429e60852ccce9b21ff 0 0
DragonFly variant (Goodor) Ariel Millahuel SOC Prime Threat Detection Marketplace f9376b94f03fe9d6f1fa80fe124bddee8d9d51ee56b3e761e3b550f5717ea1e8 0 0
Driver/DLL Installation Via Odbcconf.EXE Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 5a904d51bdf849fcbc2359cd5f5bfe7fb4f4a689bdb4ad7295d051464f07c8a2 0 0
Dropping Of Password Filter DLL Sreeman Sigma Integrated Rule Set (GitHub) ee1da0ec4e59bf6a30e8d78efcf41afcbe4babcee998f991aa62701b5fdb80df 0 0
Drovorub Malware Detection Ariel Millahuel SOC Prime Threat Detection Marketplace 00861734ad4b4865c4fd337b091aace8388feda059f681fa1a0d0a6659b55d31 0 0
Dump Ntds.dit To Suspicious Location Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) ae98f10c9c3089fe4172736d9574028281ef25bce3681b6a3006bcb97ab56bd1 0 0
DumpStack.log Defender Evasion Florian Roth Sigma Integrated Rule Set (GitHub) 9aa94cce0b20ff88d8c54a77c049e7d80f00af8ed4def6aa7395dc01692b5394 0 0
Dumpert Process Dumper Florian Roth Sigma Integrated Rule Set (GitHub) 4182b10f293111ccccca770ada467f9a23c6679818008b7436e1842cac95a691 0 0
Dumpert Process Dumper Florian Roth Sigma Integrated Rule Set (GitHub) 758c2b360e853174de27738caef97d466db11778427f5db30224884512b55494 0 0
Dumpert Process Dumper Florian Roth Sigma Integrated Rule Set (GitHub) 9f11ecfc5795bbd9676baf8be43d9bd9f6da30f13022e7d97b279730326db7ad 0 0
Dumping Lsass.exe Memory with MiniDumpWriteDump API Perez Diego (@darkquassar), oscd.community Sigma Integrated Rule Set (GitHub) c2b930e9318dce446b4b4ed018e6ade935182bf7ca1404ae47923673beafee95 0 0
Dumping Process via Sqldumper.exe Kirill Kiryanov, oscd.community Sigma Integrated Rule Set (GitHub) b8953b2fd9eedf5150cb430ec88f3653045e82c553904a73f87423600b427bee 0 0
Dumps Process Using tttracer.exe Den Iuzvyk SOC Prime Threat Detection Marketplace 1b2196c83bd73a6164882d3b22f19d200742a1d5541207b0e4b8684476e12ce2 0 0
Dupzom Trojan Ariel Millahuel SOC Prime Threat Detection Marketplace 38bcd0b136a2a67b8c4d5b7a13cd98cf8590d84aba9b380e944c2f8ba851554f 0 0
Dupzom Trojan Ariel Millahuel SOC Prime Threat Detection Marketplace 68250cc49ef2301bbd3bc5104579a2f065206211acccf6978a71097bddd98d6d 0 0
Dupzom Trojan Ariel Millahuel SOC Prime Threat Detection Marketplace b68ad5ecfba8b9b44e110368c029c99324cfa21b478209746fa0fcc441e51659 0 0
EDR WMI Command Execution by Office Applications Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) Sigma Integrated Rule Set (GitHub) 283d42c1fadd5e7b1d94efc708531703992e171a52b45eefe6e2eba61827fcdc 0 0
EKANS/SNAKE Ransomware (Sysmon detection) Ariel Millahuel SOC Prime Threat Detection Marketplace 164ef4a9c3213fa19bce8c0def1c7e491e774e8b12b55aaf55c5cc2732b4386f 0 0
EQNEDT32.EXE connecting to internet Joe Security Joe Security Rule Set (GitHub) 3b421cd3a4401c0dfc3d2c5613d705669e2bdcf8d998c4e363d2e1e5cbd328d4 0 0
ETW Logging Disabled For SCM Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) b25c9cdef72ebd81a0d1211a4769034192cd8c731778d8a88a1b327aac9b8b14 0 0
ETW Logging Disabled For rpcrt4.dll Nasreddine Bencherchali (Nextron Systems) Sigma Integrated Rule Set (GitHub) 2e3038ae7bc47420e50f90cbb3decb3348aedcdda901f3ce021b9d2efa66be73 0 0
EVTX Created In Uncommon Location D3F7A5105 Sigma Integrated Rule Set (GitHub) be104b5c33d23ea5b193fa207267ec1f1058e6a2096a14b67fc5c957fdb94b85 0 0
Edit of .bash_profile and .bashrc Peter Matkovski Sigma Integrated Rule Set (GitHub) cebaa2668c1b09efe1fcc6d468abfb9aa15dbba4c6e04246ba9e9f0bf407dc65 0 0
EfsPotato Named Pipe Florian Roth (Nextron Systems) Sigma Integrated Rule Set (GitHub) 33bbc287fcdff32099d907d122b96db06214e7ef12bdbe38cc574df4fbcd94ff 0 0
Elise Back